This detection rule identifies potential misuse of the Linux 'expect' binary, which is commonly used to automate control of interactive applications, such as Telnet and SSH. By analyzing the creation of interactive system shells spawned by the 'expect' utility, the rule aims to detect abnormal behavior, indicative of a potential breakout from a restricted shell environment. The rule looks specifically for processes where the name is either 'bash', 'sh', or 'dash', with the parent process being 'expect' and having specific argument patterns related to the spawning of these interactive shells. Such activity may signify an attempt by a malicious actor to enhance their control over the compromised system. The detection leverages the MITRE ATT&CK framework under the Execution tactic (TA0002) and the Command and Scripting Interpreter technique (T1059), particularly focusing on the Unix Shell subtechnique (T1059.004). This rule is classified with a medium risk score, suggesting moderate urgency when such patterns are detected.