This detection rule aims to identify the execution of the `sudo -i` command on Unix-like systems, such as Linux and macOS. Adversaries can exploit Unix shell commands to execute commands with elevated privileges, potentially leading to unauthorized system control. Executing `sudo -i` opens an interactive root shell, which grants the user complete control over the system. The rule uses Splunk's query language to monitor this specific command. It depends on endpoint data collection methods, specifically looking for instances where `sudo -i` is invoked. Since standard audit logs may not capture these events, reliance on EDR tools, bash history, or custom auditd configurations is essential for accurate detection. It categorizes this as an execution technique categorized under Unix shell scripting, corresponding to the MITRE ATT&CK technique T1059.004, which provides a framework for understanding and mitigating this kind of behavior in a networked environment.