This analytic detection rule focuses on monitoring the deletion of critical directories on Linux systems via the `rm -rf` command. It leverages Endpoint Detection and Response (EDR) telemetry to track command-line executions specifically targeting sensitive directories like /boot, /var/log, /etc, and /dev. Deleting these directories poses significant risks to system integrity and can lead to catastrophic failures, data loss, and protracted downtime, often linked to malicious activities, such as those resulting from malware like Industroyer2. The rule is essential for identifying potentially destructive commands executed by users, prompting immediate investigation. It captures instances where the `rm` command is used with wildcards aimed at known critical paths, thus allowing security teams to respond quickly to suspected malicious actions.