This detection rule monitors for the execution of the 'swapoff' command on Linux systems, which disables the swapping of paging devices. Disabling swap can enable malware, such as Awfulshred, to erase evidence and circumvent forensic analysis. The detection utilizes data from Endpoint Detection and Response (EDR) agents and focuses on process execution logs from 'Linux Auditd'. The rule identifies specific command execution patterns that indicate potential malicious activity, enabling the detection of attempts to manipulate system memory management, which could lead to data corruption or system instability. This detection is vital for maintaining endpoint security and ensuring malicious tactics are caught before they can escalate into more significant threats.