This detection rule targets potential reverse shell execution on Linux systems by monitoring the execution of the Perl scripting language. The rule specifically looks for instances where the Perl binary is invoked with the '-e' command line flag, which allows for the execution of Perl code directly from the command line. Additionally, it employs a combination of keywords commonly associated with reverse shell behavior, such as networking functions and socket commands, to further refine detection accuracy. The use case addresses security concerns around unauthorized access and command execution, as reverse shells can facilitate remote control by an attacker. The rule provides a method to increase visibility into potentially malicious Perl scripts that could be used for exploitation.