This detection rule identifies potential malicious activities related to the creation of symbolic links in Linux environments. Specifically, it targets scenarios where a symbolic link points from a system binary to a suspicious and writable directory. Attackers may create these links to bypass security measures that depend on known parent/child process relationships, therefore evading detection. The rule employs a query based on the attributes and actions of processes, looking for instances where certain binaries (such as 'ln' and 'cp') are used to create symbolic links, which may indicate an attack. It focuses on abnormal parent processes that could signify a compromised environment. By utilizing the 'new_terms' rule type, it enables the detection of rare or uncommon parent processes associated with symlink creation, offering a proactive approach in identifying defense evasion tactics used by attackers.