This detection rule identifies the creation of a reverse shell on Linux systems, which is facilitated through named pipes using tools such as OpenSSL or Netcat. Named pipes (FIFO files) allow processes to communicate by reading from and writing to these files. This rule is predicated on the observation of specific sequences of processes where a named pipe is created and used to establish a network connection back to an external host, enabling command execution on the compromised system. The EQL (Event Query Language) query looks for processes that involve the creation of named pipes followed closely (within 5 seconds) by shell execution and the invocation of network tools (Netcat or OpenSSL). The rule has a medium risk score, given the potential for unauthorized remote command execution via established network connections, thus representing a notable threat. Additionally, the rule accounts for potential false positives associated with normal usage of Netcat and OpenSSL, as these tools are widely used for legitimate purposes, though their combined use with named pipes in an abnormal manner can signify malicious activity.