This detection rule identifies potential abuses of the Linux 'vi' and 'vim' command-line text editors that lead to the spawning of an interactive shell (bash or sh). The rule is designed to catch scenarios where a process (parent) named 'vi' or 'vim' is invoked with a specific argument (-c) that allows for shell commands to be executed. If these commands include shell spawning commands (e.g., :!/bin/bash), the rule triggers an alert, as this behavior is atypical for legitimate user or administrator activities. This is indicative of a malicious actor attempting to elevate their access or exploit a system by escaping a restricted shell environment. The rule uses EQL (Event Query Language) for querying and is implemented on the Elastic Stack, targeting events collected in the 'logs-endpoint.events.*' index. With a risk score of 47, this rule falls under a medium severity classification, highlighting the need for monitoring potentially dangerous command executions within a Linux environment.