This detection rule monitors for the creation of hidden directories in Linux environments through suspicious parent executables. Hidden directories, typically prefixed with a dot, are often exploited by attackers to conceal malicious files or tools. The rule uses an EQL query to detect the execution of the 'mkdir' command initiated by unusual parent processes within sensitive directory locations like '/tmp', '/var/tmp', and '/dev/shm'. To mitigate false positives, the rule excludes known benign patterns and provide a framework for investigating potential malicious activity by analyzing the characteristics of the parent executables, command-line arguments, and logging recent host activities. Comprehensive triage involves validating the legitimacy of the triggering process, evaluating the context of the activity, and correlating with broader security data. The setup requires integration with Elastic Defend for effective monitoring on Linux systems.