This detection rule identifies the usage of the `openssl` command on Linux systems to generate password hashes, which can signal potential malicious activity related to account creation or password modification. Attackers may leverage this capability to set up new accounts or alter existing passwords, leading to unauthorized persistence within the system. The rule captures process actions and command-line arguments associated with `openssl` executions where the argument `passwd` indicates the generation of password hashes. It is crucial for security professionals to monitor alerts generated by this rule as they may indicate attempts to manipulate user credentials for malicious purposes. The accompanying investigation guide outlines methods for validating alerts, examining user activity, and assessing risk, as well as approaches to mitigate false positives that may arise from legitimate administrative tasks involving password hash generation.