This detection rule targets the execution of known hacktools in Linux environments by monitoring process creation activities. It utilizes various filters to identify specific tools used in penetration testing and exploitation scenarios, such as Cobalt Strike, CrackMapExec, and various web enumeration and scanning tools. The detection logic employs pattern matching on the image names of the executed processes, filtering based on whether they end with or contain certain predefined strings associated with malicious tools. These patterns include, but are not limited to, hacktools for exploitation, scanning, and web enumeration. The rule features a high severity level due to the potential risk from unauthorized tool usage on Linux servers. Although the rule is expected to generate few false positives, it can serve as a critical alert for security teams who need to investigate and mitigate unauthorized activity in their environments.