This detection rule identifies potentially malicious child processes spawned from the 'kthreadd' kernel thread parent process in a Linux environment. Attackers may leverage this parent process to execute payloads and evade typical detection mechanisms established for user-level processes. By analyzing process events logged from Elastic Defend with a focus on the parent process 'kthreadd', the rule utilizes a new_terms technique to pinpoint uncommon or suspicious child processes. This helps in highlighting activities that diverge from standard operating procedures. The rule is particularly concerned with process execution within directories that are common points of exploitation, such as /dev/shm, /tmp, and other sensitive system locations. It further ensures that specific known benign processes and commands are excluded from the alerts, thereby minimizing false positives. Overall, this rule enhances detection capabilities against stealthy kernel-level attacks.