diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml
new file mode 100644
index 000000000..75b821757
--- /dev/null
+++ b/rules/linux/command_and_control_linux_kworker_netcon.toml
@@ -0,0 +1,86 @@
+[metadata]
+creation_date = "2023/10/18"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/10/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the
+kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel 
+space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. 
+Attackers may attempt to evade detection by masquerading as a kernel worker process.
+"""
+from = "now-60m"
+index = ["logs-endpoint.events.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Network Activity Detected via Kworker"
+risk_score = 21
+rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95"
+severity = "low"
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Command and Control",
+        "Data Source: Elastic Defend"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and 
+process.name:kworker*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0011"
+  name = "Command and Control"
+  reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0005"
+  name = "Defense Evasion"
+  reference = "https://attack.mitre.org/tactics/TA0005/"
+
+  [[rule.threat.technique]]
+  name = "Masquerading"
+  id = "T1036"
+  reference = "https://attack.mitre.org/techniques/T1036/"
+
+  [[rule.threat.technique]]
+  name = "Rootkit"
+  id = "T1014"
+  reference = "https://attack.mitre.org/techniques/T1014/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0010"
+  name = "Exfiltration"
+  reference = "https://attack.mitre.org/tactics/TA0010/"
+
+  [[rule.threat.technique]]
+  name = "Exfiltration Over C2 Channel"
+  id = "T1041"
+  reference = "https://attack.mitre.org/techniques/T1041/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["destination.ip", "process.name", "host.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+