This rule detects the creation of directories in the critical `/bin` directory on Linux systems, which may indicate malicious intent as this directory is primarily meant to host essential executables. Directory creation here could be an attempt by an adversary to hide malicious files or binaries, leveraging the trusted status of the `/bin` directory. The rule utilizes EQL (Event Query Language) to monitor for processes that execute the `mkdir` command with arguments pointing to standard paths in and around the `/bin` directory. Legitimate `mkdir` commands that correspond to system binaries (like `/bin/mkdir`) are excluded from triggering alerts to reduce false positives. With a low severity risk score of 21, the detection is particularly relevant for monitoring activities that could lead to defense evasion and persistence by attackers. The rule requires data sources from various endpoint integration tools such as Elastic Defend and SentinelOne.