This detection rule identifies potential reverse shell activity on Linux systems by monitoring for the creation of processes with suspicious parent-child relationships. The key objective is to detect instances where a reverse shell is spawned through specific utilities that create a forked process. The rule utilizes a combination of EQL (Event Query Language) sequences to capture the initial process creation and any following network connection attempts that qualify as reverse shell behavior. It specifically looks for common scripting languages and networking utilities that attackers may exploit to establish persistence on a compromised system. The detection is based on certain arguments passed to these processes, indicating intentional misuse for creating a reverse shell. Note that this rule has been deprecated and incorporated into a broader detection framework, which helps streamline policy management.