This detection rule focuses on identifying suspicious command line operations that interact with shell history files on Linux systems. Shell history files like '.bash_history', '.zsh_history', '.zhistory', '.history', '.sh_history', and 'fish_history' are crucial as they can reveal user activity and potentially sensitive commands executed by users. This rule captures events where the execve system call, responsible for executing programs, is invoked in conjunction with these history files. The intention is to flag any unauthorized or unusual access to these files which may imply malicious intent, such as attempts to modify command history to conceal actions or to gain unauthorized access. This rule is part of a more extensive effort to monitor and protect against credential access attacks, specifically focusing on malicious exploitation of command-line history to obscure tracks of activity. False positives may arise from legitimate administrative tasks or cleaning of history files by users or automated scripts. Therefore, careful analysis of flagged events is necessary before concluding malicious activity.