This detection rule is designed to monitor and identify the execution of suspicious Linux tools through ProxyChains, a command-line utility that routes network connections through proxy servers. This functionality can be exploited by attackers to obscure their true IP address, evade detection, and perform malicious activities such as data exfiltration or establishing persistence through reverse shells. The rule uses Elastic Query Language (EQL) to search for processes that have been initiated using ProxyChains, focusing on a set of known suspicious command-line arguments often associated with tunneling and command-and-control activities. To operate effectively, the rule is integrated with various data sources, including Elastic Defend, Crowdstrike, and audit frameworks, and it requires a minimum Elastic Stack version of 8.13.0 due to breaking changes in integrations. It provides detailed investigation notes for triaging alerts, investigating network activity, and responding to potential threats, emphasizing the need for context-aware analysis of the user and host behavior. The measure of risk associated with this rule is deemed low, but its implications can be severe in cases of genuine threats. The rule includes a set of effective steps for response and remediation in case of confirmed malicious activity, guiding security teams on how to isolate affected systems, remove identified threats, and improve detection strategies in the future.