The rule named 'Potential Defense Evasion via Doas' is designed to detect the creation or renaming of the Doas configuration file on Linux systems, which is a common tactic used by adversaries to elevate privileges and execute commands as other users. It utilizes Elastic's EQL syntax to query for changes to the file located at '/etc/doas.conf'. The rule operates by monitoring event logs from various sources, specifically targeting file events that indicate suspicious activity on Linux hosts. The rule is crucial for detecting attempts to bypass security measures through unauthorized modifications of privilege escalation tools. Given its low risk score of 21, it highlights the necessity of monitoring such changes while allowing organizations to filter out routine administrative actions that can trigger false positives. This detection rule offers insights into proactive threat hunting and is part of a broader framework under the MITRE ATT&CK technique T1548, which covers abuse elevation control mechanisms. The setup procedure emphasizes the requirement of the Elastic Defend integration for collecting the necessary data for effective monitoring and alerting. It also provides a comprehensive guide for investigation and response, including analysis steps and remediation recommendations to mitigate risks stemming from potential exploitation of the Doas utility.