This analytic rule targets the creation of suspicious service files in the systemd directories of Linux systems, an activity associated with establishing persistence by potential adversaries. It uses Sysmon logs (EventID 11) that capture file creation events along with details such as file name, file path, and process GUID. Detecting these events is crucial for SOC operations, as they may indicate attempts to exploit vulnerabilities on compromised hosts. If these actions are confirmed malicious, they could facilitate continued control over the system and lead to further attacks, including data exfiltration and system compromises. The rule references specific systemd directories that are commonly exploited, thus narrowing the focus to significant threat actors' behavior while minimizing unrelated administrative activities. Overall, effective implementation of this detection requires diligent log management and filtering to mitigate false positives from legitimate administrative tasks.