The rule "Systemd Shell Execution During Boot" is designed to detect suspicious shell commands being executed by the systemd service manager during the boot process on Linux systems. Systemd is critical in managing system processes at startup, and attackers can exploit it to run malicious commands, enabling them to maintain persistence on a compromised system. This detection rule analyzes events related to processes initiated by systemd, specifically focusing on the execution of certain shell types (bash, sh, tcsh, etc.) and their command structure. It scrutinizes whether the parent process is systemd with the command line `/sbin/init`, ensuring that the alerts reported are credible indicators of potential misuse. This rule leverages the Elastic Defend integration within Elastic Agent, which captures relevant data to identify these activities. Specific steps for setup and investigation of potential alerts are provided, including actions for remediation and analysis of false positives that may occur due to legitimate system maintenance scripts or OS behaviors.