This detection rule identifies the creation of a reverse shell initiated through specific suspicious processes on Linux systems. It monitors for a sequence of events where a process (specifically scripting language interpreters such as Python, Perl, Ruby, Lua, and others) is spawned and subsequently attempts to establish a network connection. The detection logic involves tracking the execution of certain scripts that may indicate nefarious intents, including those that utilize the built-in networking capabilities of the respective languages to connect to potentially malicious remote servers. The rule aggregates process and network events to highlight abnormal connections and execution patterns that may signify unauthorized access attempts or persistence mechanisms employed by attackers. Notably, this rule operates in a production environment and relies on data streamed from Elastic Defend, a component of the Elastic security suite.