This detection rule targets the file deletion techniques commonly employed by adversaries, focusing on commands such as 'rm', 'shred', and 'unlink'. These commands are frequently used in intrusion scenarios to eliminate traces of malicious activity by deleting files that may contain artifacts or logs of the attack. The rule utilizes process creation logs from Linux systems to detect instances where these commands are executed, which can indicate a potential defense evasion tactic. It is important to note that legitimate administrative activities might also trigger this rule, hence it is categorized as informational, allowing analysts to discern between benign and malicious application of these commands. The detection condition specifically checks for processes whose execution image ends with any of the specified file names related to deletion commands, ensuring precision in the detection.