This detection rule identifies attempts within a Linux container to create or modify files that are significant for persistence—such as cron jobs, systemd units, sudoers files, and shell profiles. These changes are typically unusual for container operations, potentially highlighting tactics like privilege escalation, preparatory actions for container escape, or persistence mechanisms that deviate from standard image building or package management protocols. The rule utilizes the EQL (Event Query Language) to monitor file events that indicate creation or modification of these persistence-related files, with a specific focus on patterns typically exploited by attackers. The investigation process includes analyzing the process responsible for the modifications, reviewing the specific files altered, checking for container privileges, and evaluating the container's environment to confirm unusual behavior and possible security threats.