This detection rule aims to identify potential exploitation attempts of a known vulnerability in VMware Tools (CVE-2025-41244) on Linux systems. The vulnerability allows local attackers to execute arbitrary code with elevated privileges through processes managed by the VMware tools service, specifically through scripts designed to probe version strings. The rule triggers on processes where 'vmtoolsd' or its associated discovery scripts initiate child processes that may be compromised. This detection offers specific investigative steps to ascertain whether a process executed by 'vmtoolsd' was exploited, including checks on command-line arguments, file permissions, and integrity verification of VMware components. Furthermore, the rule details possible false positive scenarios and provides comprehensive response strategies, including isolating affected VMs and ensuring system configurations prevent similar exploits.