This detection rule monitors for potentially suspicious commands executed in the background using the terminal multiplexers `screen` and `tmux`. Attackers might exploit these tools to run commands stealthily, as they can detach from terminal sessions and continue executing processes without direct visibility. The rule triggers on Linux systems wherein processes starting with `screen` or `tmux` run specific commands often associated with malicious activity, such as network scanning tools or scripting languages. The rule utilizes EQL (Event Query Language) to look through multiple endpoint event indices and flags processes meeting these criteria as potentially malicious. Notably, the defined risk score is low, indicating its utility primarily as a supplementary detection rule that requires further investigation to confirm any malicious activity.