This detection rule targets vulnerabilities in the CUPS printing system associated with CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. It specifically monitors shell executions invoked by the default printer user (lp) executed from the parent process, foomatic-rip. The vulnerabilities permit remote attackers to send crafted IPP requests or UDP packets, potentially leading to arbitrary command execution upon initiating print jobs. The rule requires data from Elastic Defend and identifies when the lp user executes shell commands that may exploit these vulnerabilities. It encourages investigating incoming IPP requests or unexpected processes stemming from print activities, examining any unauthorized printer configurations, and auditing for indicators of compromise in related systems. The investigation steps include checking network traffic logs, analyzing executables, and implementing incident response protocols if malicious activity is detected.