This detection rule, authored by Elastic, identifies potentially malicious kernel seeking activity on Linux environments. Attackers may leverage built-in Linux utilities to probe the kernel for symbols and functions, potentially leading to kernel vulnerabilities exploitation. The rule utilizes EQL (Event Query Language) to monitor processes executing specific commands that access kernel-related paths, such as utilities like `tail`, `cmp`, `hexdump`, `xxd`, and `dd`. The detection identifies executions that start with these commands along with particular arguments, focusing primarily on those accessing `/boot/*` paths. The rule is integrated with Elastic Defend, necessitating its setup via Elastic Agent within the Kibana interface. It is essential to investigate identified events thoroughly by analyzing the context of the command execution and the associated user accounts as well as conducting a full review for signs of compromise. The severity of this detection has been classified as low, yet it contributes to identifying reconnaissance efforts aimed at manipulating or exploiting the Linux kernel.