This detection rule is designed to identify suspicious process activations originating from PID (Process ID) files located in the /var/run directory on Linux systems. PID files are standard in Linux environments for managing processes by holding the identifiers of currently running processes. However, adversaries can exploit this legitimate functionality by disguising malicious executables as PID files, using this method as a form of malware persistence or execution. The rule leverages Elastic Query Language (EQL) to monitor for events where a new process is spawned and its executable path matches the pattern for PID, lock, or reboot files. Additionally, it includes steps for triage and investigation by suggesting methods to analyze parent-child relationships of the processes and inspecting the /var/run directory for other anomalous files that could indicate further compromise. The risks associated with such detections are rated high due to the potential for exploitation of these files by malicious actors. The rule is set up to work with Elastic Defend, requiring specific integrations and configurations in the Elastic Agent for monitoring. Overall, this rule is crucial for identifying potential threat indicators, facilitating early detection of possible compromises in Linux systems.