This detection rule identifies instances of the `unmkinitramfs` command being executed on Linux systems, which is a process for unpacking initramfs images used during the boot process of Linux operating systems. Unpacking initramfs images can be a tactic employed by attackers to modify boot components and insert malicious code or backdoors, aiding in the maintenance of persistence after initial system compromise. The rule triggers alerts based on the process initiation events that indicate the execution of `unmkinitramfs`, categorizing this behavior under several MITRE ATT&CK techniques related to persistence, execution, and defense evasion. Investigation into such alerts should focus on confirming the context of the command execution, especially the user privileges associated with it, and checking for any unusual parent process or system activity around the time of unpacking. The rule is designed to leverage data from various sources including endpoint logs and dynamic monitoring solutions integrated via Elastic Agent, with specific prerequisites detailed for effective deployment. Appropriate response actions are highlighted for incidents where unauthorized command usage is detected, ensuring that affected systems can be quickly isolated and restored to their secured states.