This detection rule identifies the establishment of a potential reverse shell originating from the execution of a suspicious binary on Linux systems. The rule focuses on events that suggest a chain of activity starting from the execution of binaries located in common attack paths, proceeding with network activity, and culminating in the spawning of a shell. Attackers often deploy reverse shells to maintain persistent access to compromised systems. The rule automates the detection of such behavior by using Elastic's EQL (Event Query Language), functioning on logs collected through the Elastic Defend integration. The detection is built on three key events: the execution of potentially malicious binaries, outbound or inbound network connections, and the subsequent spawning of shell processes. A risk score of 47 indicates a moderate threat level, warranting monitoring and investigation for potential unauthorized access.