This detection rule identifies the execution or downloading of known credential dumping tools on Unix-based hosts, specifically targeting the tools Mimipenguin, Lazagne, and swap_digger. These tools are associated with various threat actors, including Alloy Taurus/Gallium, APT15, MuddyWater, and TeamTNT, as well as ransomware groups like ALPHV/BlackCat and AvosLocker. The detection logic utilizes EDR logs collected from the CrowdStrike platform, filtering for process events that occurred within the last two hours and were executed on Linux or macOS platforms. The rule checks for process names associated with these credential dumping tools, which are known to exploit vulnerabilities in Unix-based systems to extract sensitive information such as passwords. The techniques used in this detection align with the MITRE ATT&CK framework, specifically related to credential dumping. This rule aims to enhance endpoint security by monitoring suspicious activity that could indicate a breach or an attempt to harvest credentials.