This detection rule identifies the execution of binaries by the root user within specific shared memory directories in Linux: /dev/shm, /run/shm, /var/run, and /var/lock. These directories, intended for temporary storage and inter-process communication, can be exploited by attackers to install and execute malicious binaries, often as backdoors for persistence on high-uptime servers. The rule triggers on events where the process is executed by user ID `0` (root) and is located in one of the designated shared memory directories, while excluding known legitimate processes and directories to reduce false positives. This level of activity is considered highly abnormal and warrants immediate investigation to uncover potential threats. The setup requires integration with Elastic Defend, utilizing EQL for querying event data, and it is essential for users to be aware of the tactics and techniques employed by threat actors, as noted by the MITRE ATT&CK framework. To mitigate potential false positives related to legitimate operations, specific path exclusions have been implemented, particularly for containerized environments such as Docker and Kubernetes.