This detection rule targets abuse of Linux binaries to escape from restricted shells or environments, potentially allowing an adversary to spawn an interactive system shell. Such behavior deviates significantly from standard usage patterns and may suggest attempts to evade detection or enhance malicious capabilities. The rule identifies instances wherein typical shell processes (like bash, zsh, etc.) are initiated in unusual contexts, especially when linked to processes commonly associated with abusable Unix utilities.