The rule detects the creation of an interactive shell on UNIX-like hosts by monitoring specific process initiation events that signify the launch of a shell with terminal options. Particularly, it looks for instances of /bin/sh being invoked with the '-i' parameter, which denotes an interactive mode of the shell. This method can highlight unauthorized access or exploitation attempts, particularly in environments affected by the Kinsing malware, which is known for exploiting vulnerabilities to execute arbitrary commands. By leveraging EDR logs, the detection captures various attributes including the time of event, host details, user information, source IP, and process details to trace the potential malicious activity and provide security teams with actionable insights.