Monitors Linux kernel logs for segmentation fault messages emitted by a curated list of sensitive processes. Segmentation faults often indicate memory access violations that can arise from legitimate software defects but may also be leveraged by attackers to gain arbitrary code execution or to access credentials. This rule focuses on segfault events that originate from privileged or sensitive processes (e.g., agetty, apache2, cron, sshd, systemd-logind, etc.), as these are higher‑risk when exploited. On detection, it triggers an alert to flag potential exploitation or credential-access activity tied to the MITRE ATT&CK techniques T1003 (OS Credential Dumping), T1212 (Exploitation for Credential Access), and T1203 (Exploitation for Client Execution). The detection is implemented against Linux endpoints using data from kernel logs (system.syslog) and process context; the query looks for host.os.type: linux and event.dataset: system.syslog with process.name: kernel and a message containing segfault and a targeted process name from the allowlist. While helpful, segfaults can occur for benign reasons; correlate with additional signals (e.g., multiple hosts, anomalous timings, payloads, or unusual credential-related activity) to reduce false positives.