This detection rule identifies the execution of the 'rmdir' command with specific flags, namely '/s' and '/q', which indicate that files and directories are being deleted without confirmation or prompt. The rule leverages telemetry from Endpoint Detection and Response (EDR) solutions to monitor process behaviors and command-line interactions, highlighting instances where this command is invoked. The ability to remove files indiscriminately can be indicative of malicious activity, particularly in the context of malware attempting to erase its tracks following execution or to clean up indicators of compromise. Such behavior is critical to monitor, as it may hinder forensic investigations and enable attackers to maintain persistence in a target environment after carrying out their objectives. The analysis is focused on monitoring execution patterns that may signal an ongoing compromise, especially in enterprise environments where system integrity must be preserved.