This rule identifies potential process injection attempts in Linux environments by monitoring the execution of processes with the LD_PRELOAD environment variable set. LD_PRELOAD can be used by threat actors to inject a shared library into binaries, enabling malicious activities such as persistence, privilege escalation, or evading security mechanisms. Given its uncommon use, the presence of this variable during process execution is a noteworthy indicator of possible malicious behavior. However, this rule has been deprecated due to a high incidence of false positives and insufficient true positives. To effectively use this rule, the Elastic Defend integration must be configured in compliance with specific prerequisites and advanced settings that enable environment variable tracking.