This rule monitors for suspicious network activity initiated by unknown executables from non-standard directories on Linux systems. It identifies instances where previously undescribed processes attempt to establish network connections to external IPs, which may indicate unauthorized activity, such as malware communicating with a command and control (C2) server. The rule utilizes a query to filter process activities based on various executables located in unique directories typically associated with potential malware, thereby allowing for the detection of malicious behaviors through network connections. The rule leverages the new terms rule type to log connections from unknown executables, maintaining a risk score of 21 and focusing on endpoint security. Upon triggering, detailed investigation steps are suggested, involving osquery queries to assess the status of listening ports, open sockets, and user activity, with an emphasis on post-event analysis and remediation. The importance of isolating affected hosts to prevent further compromise and conducting thorough investigations is highlighted to enhance security and response measures.