This rule detects the unauthorized creation of the dynamic linker (ld.so) file in Linux environments, which is crucial for loading shared libraries necessary for executing programs. Attackers may attempt to replace ld.so with a malicious variant to execute arbitrary code, manipulate processes, or maintain persistence on a compromised system. The detection utilizes EQL (Event Query Language) to monitor filesystem events, particularly focusing on the creation of files in certain critical paths associated with the dynamic linker. The rule applies filters to exclude benign processes like 'docker', 'yum', 'dnf', 'microdnf', and 'pacman', which are known to interact with ld.so during updates. If the creation event of ld.so is detected, it raises an alert with a low-risk score of 21, allowing security analysts to investigate potential threats efficiently. Prior integration of Elastic Defend is required to collect the necessary logs from Linux endpoints, ensuring real-time monitoring and analysis of suspicious activity surrounding shared libraries and system binaries.