This detection rule, authored by Elastic, identifies when an interactive process within a Linux container executes suspicious commands through interpreters such as Perl, PHP, Lua, Python, or Ruby. These commands often indicate potentially malicious activities such as executing harmful scripts or extracting data illicitly, classified under threat tactics like Execution and Command and Control within the MITRE ATT&CK framework. The rule is set to monitor process execution activities that begin within the last six months, evaluating configurations that might correlate with known patterns of abuse. The detailed investigation steps included in the rule emphasize the need to decode inline script executions, correlate them with session metadata for potential actor identification, and analyze network activity following the command execution. Additionally, a set of response measures is recommended for workloads flagged by this rule, including quarantining affected containers and reviewing for possible artifacts or follow-on activities.