This detection rule identifies potentially malicious SSH child processes on Unix-like systems that may indicate an exploit in progress, specifically related to CVE-2024-3094. By monitoring the SSH daemon (sshd) for child processes initiated by the root user and examining their command-line arguments, the rule can highlight suspicious activities that resemble potential exploitation attempts targeting product delivery mechanisms. It leverages EDR logs as a data source to spot patterns where processes such as 'bash -c' or 'sh -c' get invoked under certain user contexts. If these patterns match, they could symbolize lateral movement or supply chain compromise efforts by adversaries, raising flags for further investigation and response.