This detection rule identifies the execution of UNIX/Linux scripts via the SCX RunAsProvider's ExecuteScript functionality within the Microsoft Operations Manager UNIX/Linux Agent, termed SCXcore. The detection focuses on scripts executed with the '/bin/sh' shell, particularly those scripts that are temporarily created in the '/tmp' directory with a prefix of 'scx'. When invoked, these scripts appear in the directory '/etc/opt/microsoft/scx/conf/tmpdir/', maintaining the same 'scx' prefix. The rule targets scenarios where commands run as the root user (LogonId 0) originate from a specified current directory and involve the command line containing a reference to 'scx'. This can indicate potential exploitation techniques aimed at privilege escalation or unauthorized execution of scripts. Given the relevant attacks like T1068 (Exploitation for Client Execution) and T1190 (Exploit Public-Facing Application), the detection can be crucial in preventing unauthorized access via this vector.