This detection rule identifies the execution of the mimipenguin exploit script, which is a Linux adaptation of the well-known Windows tool Mimikatz. The mimipenguin script is designed to dump clear text passwords from the currently logged-in user's session by exploiting vulnerability CVE-2018-20781. Malicious actors can utilize this technique to extract sensitive credentials from memory by analyzing the processes using the '/proc' filesystem. The rule uses an EQL query to detect sequences involving the execution of the 'ps' and 'strings' commands, which are common in efforts to capture clear text passwords. A risk score of 47 indicates a medium severity level for this possible attack on Linux systems. The associated investigation guide provides insights into investigating such incidents and steps to mitigate potential exploits.