The detection rule monitors for inter-process communication (IPC) via Unix sockets on Linux systems, which adversaries may exploit to probe for vulnerabilities, escalate privileges, or establish covert communication channels. The rule leverages EQL language to identify processes such as 'netcat' and 'socat' using specific flags that typically indicate malevolent behavior associated with Unix socket utilization. It focuses on Unix socket connections made by these utilities, particularly when certain arguments are present, thereby attempting to highlight potential misuse of IPC mechanisms. The risk score for this rule is low, indicating it’s a preliminary detection method for suspicious socket communication. Potential false positives should be anticipated, particularly from legitimate administrative tasks or development environments where 'netcat' and 'socat' are commonly used. The rule furthermore includes a detailed investigation guide that outlines steps to analyze potential incidents, review process executions, source and destination checks, and suggests verification against known safe service behaviors. In case of a confirmed threat, recommended responses include isolating affected systems and examining logs for unauthorized activity, reinforcing necessary security protocols against further exploits.