The 'Login via Unusual System User' detection rule by Elastic is designed to identify instances of unauthorized access through uncommon system user accounts that have been modified to allow SSH access. This is particularly relevant in Unix/Linux environments where system users are typically configured with restricted login capabilities (often set to 'nologin'). The rule utilizes Elastic Query Language (EQL) to analyze authentication events captured by Filebeat, focusing on successful SSH or user logins associated with a predefined list of system users. The risk score for this detection is set at 47, indicating a moderate level of threat. Given the nature of these system users, any successful login through them may signal potential backdoor access by adversaries, representing a serious security risk that warrants prompt investigation and response. The alert generated by this rule includes specific investigation guidelines, recommendations for remediation, and a discussion of possible false positives. It emphasizes the importance of reviewing login event details, checking for unauthorized changes, and consulting with system administrators to corroborate findings. Additionally, the rule is linked to specific tactics and techniques outlined in the MITRE ATT&CK framework, highlighting the importance of persistent access techniques and defense evasion strategies.