This detection rule identifies suspicious commands that utilize the `/dev/tcp` interface in Linux systems. The `/dev/tcp` pseudo-device allows for direct socket communication, which can be exploited to create reverse shells, perform port scanning, or exfiltrate data. Common patterns indicative of these malicious activities are captured through specific command keywords associated with `/dev/tcp` and `/dev/udp`. The rule triggers when any of these keywords appear in command execution logs. Given its ability to facilitate reconnaissance activities, this detection helps security teams identify potential threats early, allowing for proactive measures in response to abnormal behavior. The keywords included cover a range of commands that might indicate an attacker trying to establish a command and control channel or perform unauthorized network scans.