This rule is designed to detect potential attempts at SSH password grabbing by monitoring the behavior of `sshd` processes in conjunction with `strace`. Attackers can exploit the `strace` command to trace system calls, enabling them to capture sensitive information transferred during an SSH session, such as passwords. The detection logic uses a sequence-based approach: it identifies instances where an `sshd` process has ended, which is indicative of a session termination, followed closely (within 3 seconds) by the start of an `strace` process. This pattern may suggest an attacker attempting to monitor SSH sessions to harvest credentials. The risk score assigned to this detection is 47, categorized under medium severity, making it a crucial indicator of potential malicious activity regarding credential accessibility and session persistence. The rule is applicable to Linux environments, leveraging data from process event logs with the Elastic Agent. Relevant techniques outlined in the MITRE ATT&CK framework include 'Modify Authentication Process' and 'Compromise Host Software Binary', highlighting its relevance in understanding and addressing these security threats.