This detection rule monitors for the execution of a netcat listener that is initiated via the rlwrap utility on Linux systems. Netcat, also known as 'nc', is a powerful networking tool used for reading from and writing to network connections using TCP or UDP. When paired with rlwrap, which enhances the command-line interface experience by allowing editing of keyboard input, netcat can establish a robust reverse shell. This combination creates a security concern, as adversaries may use it to maintain persistent access to compromised systems. The rule is implemented in Elastic's security framework and logs execution of processes where both 'rlwrap' and netcat-related arguments are present, indicating potential malicious activity. The rule sets a low risk score of 21, reflecting the need for investigation but acknowledging its possible legitimate uses. False positive scenarios are addressed, including legitimate administrative use cases and development environments. The setup requires integration with Elastic Defend and is applicable to environments monitoring Linux endpoints.