This rule detects the creation of potentially malicious files within the default Message of the Day (MOTD) file directories on Linux systems, specifically targeting the '/etc/update-motd.d/' directory. The MOTD is a message presented to users when they log in to a Linux server, and the scripts that generate this message run as the root user, allowing attackers to leverage this in order to maintain persistence. The rule uses EQL (Event Query Language) to search for instances where new files are either created or renamed within the specified directory, omitting common legitimate processes. The investigation guide associated with the rule details potential next steps for analyzing any flagged files and their usages to determine whether malicious scripts or commands have been introduced. This includes checking for the presence of modified files, investigating suspicious processes, and confirming the absence of malicious backdoors or scripts throughout the filesystem.