This detection rule is designed to identify potential Meterpreter reverse shell activity on Linux systems through specific system file reads. It targets suspicious interactions with system files typically accessed during system fingerprinting by the Meterpreter shell, which is a component of the Metasploit framework. The rule leverages data from either Auditbeat or the Auditd Manager integration to monitor file access patterns that indicate reconnaissance actions by adversaries. Such behavior includes the reading of critical files like `/etc/machine-id`, `/etc/passwd`, and network-related files located in `/proc/net/`, which are characteristic of the information-gathering techniques used in cyber attacks. A risk score of 47 has been assigned to prompt investigation when an alert is triggered, indicating a moderate threat level. Recommended actions for analysis include reviewing PID and UID associated with alerts, assessing host integrity, and correlating logs for broader context. The rule is implemented in EQL (Event Query Language) and requires specific audit rules within the data sources to function correctly. It emphasizes the importance of proper setup and potential false positives from legitimate processes that may mimic Meterpreter activity. Lastly, it aligns with the MITRE ATT&CK framework for both execution and command and control tactics, enhancing its relevance in incident response planning and security operations.