This detection rule aims to identify unusual behavior related to Linux kworker processes that are executed from writable directories like /home/, /var/log, and /tmp. Since kworker processes are kernel threads typically not found in such accessible locations, their presence there can suggest malicious activity, such as the execution of malware like CyclopsBlink. The rule leverages Endpoint Detection and Response (EDR) agent data, focusing on logging the process paths, parent process information, and command lines associated with these processes. A query against the Endpoint data model looks for parent process names that utilize kworker and logs their path to check for abnormal usage within writable folders. This detection is essential in monitoring and preventing potential system compromises by identifying attempts to create persistent backdoors or perform stealthy operations that blend in with legitimate processes.