This detection rule is designed to monitor and identify potential persistence mechanisms utilized by threat actors, specifically targeting Linux systems. It primarily focuses on the initiation or configuration of new services that are set to start automatically during the boot process. The rule leverages the Splunk platform to analyze system events associated with service management commands such as 'systemctl start', 'systemctl enable', or the older service management commands associated with init scripts (e.g., '/etc/init.d/'). By examining the command-line arguments and process titles, the rule extracts relevant fields including process name and corresponding services that have been enabled or started. The detection is particularly significant for recognizing unauthorized service configurations which may indicate an attempt to maintain persistence by malware or compromised user accounts. The threat actor group TeamTNT is associated with such activities, aiming to further their control over the targeted environment.