This detection rule aims to identify instances of suspicious renaming activities involving VMware-related files on Linux systems. The specific file extensions monitored include '.vmdk', '.vmx', '.vmxf', '.vmsd', '.vmsn', '.vswp', '.vmss', '.nvram', and '.vmem'. These file types are crucial for VMware ESXi virtual machine environments as they store vital configurations and states. The rule works by tracking 'rename' events associated with these file types and raises alerts when these renamings occur unexpectedly, which could signify an attempt by adversaries to evade detection or disrupt services through tactics such as masquerading. This rule leverages Elastic Defend's integration to fetch relevant data and operates in production environments on Linux systems. Overall, the detection logic is in place to analyze deviations from normal behavior by observing unauthorized rename actions that diverge from the expected file extension patterns. Comprehensive investigation steps are provided for identifying potential threats and mitigating any discovered incidents.