This detection rule, authored by Elastic, identifies kernel unpacking activities on Linux systems through the monitoring of specific processes associated with unpacking utilities. Unpacking kernel images and modules can be a legitimate maintenance task, but attackers may use these utilities to inspect or modify the kernel in an attempt to exploit vulnerabilities. The rule leverages Elastic's EQL (Event Query Language) to filter events that indicate a kernel unpacking attempt. It particularly looks for process start events where commands are executed relating to commonly used unpacking tools, analyzing the context of their execution. Exclusionary logic is built into the rule to ignore benign processes, thereby enhancing its accuracy in flagging real threats. The setup requirements highlight the necessity of having Elastic Defend integrated via Fleet, ensuring comprehensive monitoring capabilities. Further, the guiding sections provide a detailed investigation protocol for security analysts, addressing potential false positives and advising on response mechanisms to effectively manage encountered threats.