This detection rule targets the use of the Linux 'mknod' command, which is often exploited in Remote Command Injection (RCI) scenarios to gain unauthorized shell access when traditional tools like netcat are not available. The rule logs instances where the 'mknod' command is executed, especially focusing on processes that launch it within a designated timeframe (9 months prior to the current time). This is pertinent in scenarios where the execution of 'mknod' diverges from normal operations, as usage patterns can indicate malicious intent, particularly when initiated by web servers. The rule aims to minimize false positives by recognizing that some legitimate usage of 'mknod' may occur through automated scripts and tools in regular system operations.