This detection rule identifies the creation of symbolic links that may indicate malicious activity on Linux systems. Symbolic links can be manipulated by attackers to redirect processes to sensitive files, potentially leading to privilege escalation. The rule analyzes process events where the 'ln' command is executed with specific arguments that indicate the creation of symbolic links to suspicious files, such as '/etc/shadow'. It filters out actions initiated by non-root users, focusing on potential misuse of the 'ln' command for privilege escalation or credential dumping purposes. Ensuring that enterprise systems are aware of such activity helps secure sensitive information and enforce privilege management. The rule is crucial for incident response teams to detect and investigate attempts at privilege elevation through manipulated symbolic links.