This detection rule focuses on identifying the execution of the ProxyChains utility on Linux systems, used by attackers to obfuscate their network traffic through multiple proxies. The rule employs the Elastic Query Language (EQL) to monitor for process initiations that indicate the launching of ProxyChains. The outputs for further investigation are derived from various data indexes related to endpoint events, audit logs, and specific security products such as CrowdStrike and SentinelOne. By analyzing related processes and associated user activity, this rule helps security teams detect potential malicious behavior related to command and control tactics. Additionally, the rule provides investigation steps, potential false positives, and recommended response strategies in the event a threat is detected, prioritizing context and business relevance in analysis.