This detection rule monitors network activities initiated by `kworker` processes on Linux systems. Kworker processes are integral parts of the Linux kernel's workqueue that handle scheduled kernel tasks, such as interrupts and background activities. Given their legitimate nature, attackers may attempt to exploit these processes to conceal their network connections to avoid detection. The rule targets connections attempted or accepted from these processes, explicitly excluding known trusted IP ranges and certain ports, which may indicate attempts at command and control (C2) operations. By correlating suspicious kworker process activities with network events, the detection rule aims to identify potential malicious behaviour and alert security teams for further investigation. This is crucial for maintaining the security of endpoint systems and preventing unauthorized access or data exfiltration.