This detection rule identifies potential abuse of the Linux `cpulimit` binary, which is typically used to restrict the CPU usage of processes. The rule specifically looks for instances where an interactive system shell (e.g., bash, sh, or dash) is spawned from a `cpulimit` process, which is not a standard operation. Notably, the usage of `cpulimit` to spawn a shell can indicate a malicious actor trying to circumvent restrictions in a controlled environment, enabling them to improve their access capabilities or maintain stability in their operations. The detection is based on monitoring process events where the event type is 'start', and checks whether the `cpulimit` process is a parent to a shell process with specific arguments. By raising a medium risk score of 47, it highlights the potential threat posed by this behavior, falling under the MITRE ATT&CK framework’s execution tactics, particularly focusing on command and scripting interpreters.