This detection rule aims to identify malicious use of LD_PRELOAD and LD_LIBRARY_PATH environment variables in command line arguments on Linux systems. The specified parameters have legitimate purposes in dynamic linking; however, their misuse may indicate attempts by threat actors to hijack the execution flow of legitimate processes. Such activities may point to evasion of security mechanisms, privilege escalation, or persistence tactics initiated by adversaries. The rule utilizes Elastic Defend's capabilities, monitoring process creation events for unusual command line arguments that incorporate these environment variables. The query specifically filters for instances where these variables are present in command lines launched by various shell types, excluding common benign applications such as ‘bash,’ ‘sshd,’ and others, thus focusing on potential hidden attacks. With a risk score of 21, this rule is classified as low severity, facilitating prompt detection while minimizing false positives from regular operations.