The rule "EggShell Backdoor Execution" is designed to detect the execution of the EggShell backdoor, a tool used for post-exploitation on macOS and Linux. It targets the detection of suspicious process activity where the process name is 'espl' and the arguments start with a base64-encoded string indicating the use of EggShell. The detection leverages queries from the Elastic Stack, specifically monitoring the fields related to process execution in audit logs. With a high risk score of 73, the rule emphasizes the importance of identifying potential backdoor usage to facilitate timely responses. The detailed investigation guide notes that legitimate scripts may trigger false positives and recommends various investigation steps including the review of process arguments, associated user accounts, and network activity. The rule aligns with the MITRE ATT&CK framework under the execution tactic using command and scripting interpreters, specifically referencing technique T1059.