This detection rule targets potential unauthorized use of the Linux 'flock' utility, which is typically utilized for managing advisory file locks within shell scripts. The rule identifies instances where a binary 'flock' is being used inappropriately to spawn an interactive system shell. Such behavior can signify attempts by malicious actors to circumvent restrictions within their environment, enhancing access or stability for their actions. The rule is constructed in EQL and primarily analyzes process events, specifically monitoring for processes that are initiated under the 'flock' command with arguments that indicate an attempt to execute shell commands. With a risk score of 47, this rule is rated with medium severity, signifying the potential threat associated with such activities. It derives references from the GTFOBins resource for advanced exploitation techniques involving Linux binaries.