This detection rule is designed to identify the use of various Linux system utilities that are commonly employed to discover network connections on a Linux system. The targeted executables include '/who', '/w', '/last', '/lsof', and '/netstat', which can provide insights into the state of network connections and user activity. The rule utilizes process creation logs to track the execution of these utilities. An additional filter is applied specifically for the case when the command line of the parent process contains '/usr/bin/landscape-sysinfo', indicating a potentially legitimate invocation of the 'who' command that we want to avoid flagging as malicious. The rule combines a selection criteria with this filtering logic and will trigger if the selected commands were executed and the filtering conditions are not met. False positives are largely attributed to legitimate administrative tasks performed by users or automated scripts. This rule is particularly critical for maintaining visibility in environments where user activity and network interactions may be indicative of unauthorized exploration or potential lateral movement attempts by an attacker.