This detection rule identifies when an interactive process in a running Linux container creates a file in system binary locations, which could indicate malicious activity aimed at tampering with execution processes or evading security detection. The monitored paths include critical directories such as /etc, /root, /bin, /usr/bin, /usr/local/bin, and /entrypoint. By utilizing tools like curl or wget, adversaries can introduce executable files into these directories, potentially allowing them to execute commands on the host or conceal their actions. The rule employs an EQL (Event Query Language) query to isolate relevant events by assessing specific conditions like the nature of the process, the type of the file created, and the interaction level of the user. Investigators are advised to review metadata around file creation to determine the intent, analyze the environment for security risks, and identify if the interaction was legitimate or malicious. Furthermore, steps are detailed for incident response, including containment and remediation measures to recover from any potential compromises, while also suggesting hardening strategies for enhanced security.