This rule identifies attempts to remove kernel modules on Linux systems, which can be indicative of malicious activity aimed at disabling security features or evading detection by compromising the operating system's kernel. Kernel modules allow for dynamic extension of kernel functionality without rebooting. The rule employs EQL (Event Query Language) to detect processes related to 'rmmod' (remove module) and 'modprobe' with removal arguments, specifically monitoring if these are initiated from common shell environments (e.g., bash, sudo). The risk score assigned is medium (47), indicating moderated concern regarding the potential threats this activity poses. Aside from identifying the removal attempts, the rule offers guidance on investigating these events, including analyzing the process details and user privileges to ascertain whether the behavior is legitimate. Additionally, it acknowledges potential false positives from routine administrative tasks and automated scripts and suggests creating exceptions for known safe activities.