This rule is designed to detect potential abuse of the 'env' command in Linux environments, which may indicate an attempt by a malicious actor to break out of restricted environments by spawning an interactive shell. The rule specifically looks for processes where the 'env' command is executed with two arguments, one of which is typically a shell executable such as '/bin/sh' or '/bin/bash'. Such usage of 'env' deviates from its common application, thereby raising suspicion about unauthorized access and potential remediation efforts by malicious users. The detection utilizes EQL (Event Query Language) to analyze logs from Linux endpoint events. The risk score assigned is 47, categorizing it as a medium severity threat. The rule aligns with the MITRE ATT&CK framework under the Command and Scripting Interpreter technique, particularly the Unix Shell sub-technique, which are tactics commonly employed during exploit attempts.