This detection rule monitors for potential evasion tactics employed by adversaries targeting Unix-based systems, specifically through the movement or renaming of system binaries. On Unix systems, malicious actors might rename legitimate system utilities to bypass security mechanisms that monitor their usage. This detection rule captures the movement of files in the '/bin' directory, which is crucial as it contains essential system commands. The implemented logic involves querying the CrowdStrike process data for any events in the past two hours that match the execution of the 'mv' command - a common utility used to move files - particularly focusing on movements of binaries within the '/bin' directory. The relevant detection techniques associated with this rule include 'system binary proxy execution' (T1218) and 'masquerading' (T1036). The rule aims to help security teams detect attempts to evade detection mechanisms by monitoring for this specific behavior, as seen in previous operations by threat groups like TeamTNT.