The detection rule identifies instances of a terminal being spawned via Perl, a potential tactic used by attackers to upgrade a simple reverse shell into a fully interactive terminal after gaining access to a host. The rule leverages data from various sources, principally Auditbeat and Elastic Defend, monitoring for specific process events on Linux systems. When Perl executes shell commands with arguments indicating the spawning of an interactive shell (e.g., exec '/bin/sh' or exec '/bin/bash'), the rule triggers an alert. This is critical for threat detection, as it highlights possible misuse of Perl for privilege escalation or persistence mechanisms. For proper function, the rule requires integration with either Elastic Defend or Auditbeat, which must be installed and configured correctly. Investigations should focus on confirming the context of the Perl execution, examining user accounts, and reviewing logs for any anomalies that might indicate an unauthorized access attempt. The rule also contains remediation steps for responding to suspicious Perl processes to ensure system integrity.