This detection rule identifies potential tampering with command history in Linux environments. Attackers often utilize techniques to clear or manipulate shell history to avoid detection by security mechanisms. The rule targets specific commands and actions that directly influence the contents of files like "bash_history" or "zsh_history", which record executed commands for user sessions. Notable commands that trigger this rule include clearing files with redirection (`cat /dev/null >*sh_history`, `echo "" >*sh_history`), using symbolic links to null devices (`ln -sf /dev/null *sh_history`), and modifying shell options to disable history storage (`shopt -ou history`). By monitoring these commands, security teams can better identify evasive behaviors that may indicate malicious activities.