Linux Docker Shell Execution

This detection identifies shell execution activity associated with Docker containers on Linux systems. Specifically, it monitors for interactive or non-interactive shell processes (e.g., `/bin/bash`, `/bin/sh`, `/bin/zsh`) launched via Docker commands such as `docker exec`, or through container entrypoint overrides. Shell execution inside a container may indicate administrative troubleshooting activity. However, it can also represent post-exploitation behavior, where an attacker gains access to a container and spawns a shell to execute arbitrary commands, establish persistence, or pivot to the host.