This detection rule identifies the execution of potentially destructive commands in Linux environments, specifically targeting the 'rm -rf --no-preserve-root' command. By leveraging data provided by Linux Auditd, particularly focusing on 'execve' system calls, the analytic helps in detecting attempts at mass data deletion that might indicate malicious intent, possibly associated with malware like Awfulshred. Given the severe consequences of such commands, including data loss and system instability, timely investigation of alerts generated by this rule is critical. The rule is designed for use within Splunk, requiring proper ingestion and normalization of Auditd logs to provide effective monitoring of Linux endpoints.