This rule is designed to detect unusual command executions initiated by processes that are children of the 'exim4' mail server on Linux-based systems. Attackers can use such child processes to evade detection and maintain persistence or execute malicious commands post-compromise. The rule employs a specific query that filters for Linux systems where events are type 'start' and action 'exec,' specifically looking for child processes spawned from 'exim4.' It excludes typical commands such as 'systemctl' and 'grep' to focus on potentially malicious activity. The rule is active and intended for production use, with a low severity risk score of 21. It aligns with MITRE ATT&CK techniques for persistence.