This detection rule identifies command-line patterns associated with the Pnscan tool, which has been linked to the transmission of binary data over networks in Linux environments. The particular regex pattern used in the rule aims to match command lines where the Pnscan command is invoked with either the '-W' (for write) or '-R' (for read) option, followed by a sequence of hexadecimal data. Such behavior is indicative of potential malware activity, as evidenced by its use in Linux campaigns focused on compromising systems running Docker, Apache Hadoop, Redis, and Confluence. Notably, this methodology has been exploited by the threat actor known as TeamTNT, suggesting that any detections based on these patterns could signify a malware infection or unauthorized data exfiltration attempts. Given the increasingly sophisticated techniques employed by attackers, this rule is crucial for identifying and mitigating such threats in real-time.