This detection rule identifies the usage of the 'chattr' utility in Linux systems to remove the immutable attribute from files. The immutable attribute is a file property that prevents modifications to the file, adding a layer of security. By detecting the 'chattr -i' command, which is used to remove this protection, the rule aims to flag potential malicious activities where an attacker attempts to alter protected files to gain unauthorized access or modify system integrity. The rule specifically targets process creation events where the 'chattr' utility is invoked with the -i option in the command line. The rule is categorized under medium-level threats, as the removal of the immutable attribute can signify an evasion tactic by attackers trying to manipulate security settings that protect critical files. False positives may occur when legitimate administrators are managing files, particularly in backup scenarios.