This detection rule identifies instances when an attacker spawns an interactive terminal (tty) using Python on a Linux system. Attackers often escalate a basic reverse shell to a full interactive terminal to gain enhanced control after initial access to the host. The rule triggers on specific process events where Python is the parent process spawning a shell (bash, sh, etc.) with distinctive arguments. It uses Elastic's EQL to monitor and analyze process creation events from logs generated by the Elastic Defend integration, which must be properly configured and deployed on endpoints. Given its potential for serious misuse, this rule has a high-risk score of 73.