This detection rule identifies potential reverse shell activity over TCP on Linux systems by analyzing network traffic followed by the creation of suspicious shell processes. The rule seeks to flag instances where a reverse shell might be established, allowing an attacker to gain remote access by utilizing specific command-line arguments associated with shell processes such as bash or socat. The detection mechanism uses a sequence of network events, including connection attempts or acceptances, within a defined time window, followed by checks for shell execution that match known patterns for reverse shells. The rule operates in the context of Elastic Defend and requires an integration setup for effective monitoring, making it a critical tool for enhancing endpoint security against sophisticated intrusion techniques.