This detection rule aims to identify the usage of kexec, a Linux feature that allows loading and executing a new kernel without a system reboot. While kexec is beneficial for system recovery and updates, it can be misused by malicious actors to perform a variety of malicious activities, including unauthorized kernel replacement, privilege escalation, and attempts to bypass security mechanisms. The detection rule specifically monitors for processes where kexec is invoked with certain arguments, systematically excluding known benign parent processes like 'kdumpctl' and 'unload.sh' to minimize false positives. The rule requires integration with the Elastic Defend solution to function correctly, and it has been designed for environments running Linux operating systems. The severity of this rule is considered medium, with a risk score of 47, indicating a noteworthy level of concern for potential security incidents. The rule is applicable across various data sources including Elastic Defend, Auditd Manager, Crowdstrike, and SentinelOne integrations.