This detection rule identifies suspicious egress network connection attempts linked to execution of Git hook scripts in a Linux environment. Git hooks are pre-configured scripts that run during Git commands such as commit or push. Attackers can exploit these hooks to run arbitrary commands, maintain persistence, or establish unauthorized network connections for data exfiltration or payload downloads. The rule utilizes EQL (Event Query Language) to detect sequences of process executions that meet specific criteria: it looks for processes initiated by Git hooks that attempt to connect to external IP addresses. By monitoring both the execution of the script and the network activities, the rule flags potentially malicious actions that deviate from expected behavior. The rule necessitates Elastic Defend integration, and it requires a thorough setup of the Elastic Agent within a Linux environment. Users are advised to follow the investigation guide to distinguish between legitimate Git hook usage and potential security incidents. The rule's risk score is set at medium (47). Related MITRE ATT&CK techniques, such as 'Create or Modify System Process' and 'Hijack Execution Flow', illustrate the potential threat landscape associated with Git hook exploitation and persistent attacks.