This detection rule identifies suspicious process events executed by the APT (Advanced Package Tool) package manager on Linux systems, which may indicate unauthorized persistence mechanisms linked to APT backdoors. APT is extensively used for managing software on Debian-based systems, allowing for installations, updates, and package repository management. Malicious actors may exploit APT by injecting harmful scripts within its execution stream, thus ensuring ongoing unauthorized access. The rule monitors process invocations where APT acts as a parent, looking for concurrent suspicious shell executions that may reflect backdoor activities. Specific behaviors alert security professionals, engaging them in early detection and proactive response to potential threats.