This detection rule identifies suspicious process command lines on Linux systems that start with a shell command (specifically 'sh -c' or 'bash -c') that ultimately pipes its output into another shell (either 'bash' or 'sh'). Such command patterns are often utilized in attack scenarios to evade detection and execute malicious payloads in a covert manner. The rule employs a combination of selection criteria, looking for command lines that both start and end with specific shell invocations followed by a pipe operator, indicating a sequence of shell executions. Given the command line complexity, this could suggest the presence of an evasive attack attempting to obfuscate its intentions by chaining shell processes together using pipes. The rule is aimed at capturing behaviors typical in defense evasion tactics, specifically denoted by the MITRE ATT&CK technique T1140. Proper tuning may be required to reduce false positives, especially in environments where legitimate software utilizes similar command patterns.