This detection rule monitors for the use of the X Window System's screen capture utility, xwd, on Linux systems. The rule specifically captures attempts to execute the xwd command to take screenshots of the entire desktop or specific application windows, potentially indicating malicious activity such as capturing sensitive information without user consent. The focus is on two command patterns: one that captures the full root window and outputs it to a .xwd file, and another that outputs to a .xwd file without explicitly capturing the root window. Given the increasing prevalence of screenshot tools on user workstations, implementing this rule on servers is highly recommended to detect any unauthorized screen capture activities. It utilizes auditd for monitoring execution processes and correlated conditions to identify potential threats.