This detection rule is designed to identify instances where SSH is executed with the '-T' option, which disables pseudo-terminal (pty) allocation. Adversaries may use this capability to hide their tracks by preventing the logging of command inputs in environments where command history could provide insights into their actions. The command history is critical for auditing purposes, and by manipulating it, attackers can cover their traces following a system compromise. The rule leverages the Snowflake logic format to query the EDR logs, specifically looking for process execution of SSH with specific arguments. It checks events from the last two hours to catch potential misuse in near real-time. By using a regular expression in the query, it effectively filters for SSH commands that fit the pattern of an attack, particularly those involving the '-T' switch, indicating a possible attempt at obfuscation and clearing of command history in an environment with rapid log review needs.