This detection rule identifies potential upgrades of non-interactive shells to fully interactive shells on Linux systems. When attackers gain initial access to a host, they may use non-interactive reverse shells to establish a connection, but they can enhance these shells into more stable environments by executing terminal commands like `stty` or `script`. The rule monitors specific process executions that indicate such upgrades. It looks for processes running `stty` with arguments indicating terminal control (e.g., `stty raw -echo`) or `script` commands with specific flags (e.g., `script -qc /dev/null`). The rule is designed to alert when these processes are initiated, which can indicate suspicious activity potentially linked to attacker attempts to maintain access or control of a host. Proper setup includes the integration of Elastic Defend and the application of appropriate monitoring for processes associated with terminal manipulation, highlighting investigation and response activities following alerts.