The rule is designed to detect suspicious activity involving the Linux 'apt' or 'apt-get' command, particularly in scenarios where an attempt is made to escape from a restricted shell environment. The apt utility is commonly used for managing the installation and removal of software in Debian-based Linux distributions. The normal operations of this tool do not include spawning an interactive system shell. However, malicious users may exploit it to enhance their access and capabilities within the system. This detection rule monitors for the execution of the system shell through the sensible-pager process when initiated as a child of 'apt' or 'apt-get' with the changelog argument. Such behavior may indicate an elevated intent to bypass restrictions, thus characterizing it as a potential security threat. The rule employs Elastic Query Language (EQL) to track events matching the specified criteria and is associated with a medium risk score (47). The usage of GTFOBins references highlights known techniques for privilege escalation, indicating a high relevance in threat detection.