This detection rule identifies the creation of Dracut module files on Linux systems, which could indicate malicious activity aimed at maintaining persistence. Dracut is used to generate initramfs images necessary for booting Linux. Attackers can exploit Dracut by introducing unauthorized modules that execute arbitrary code upon boot, potentially gaining an enduring foothold in the system. The rule monitors specific file paths associated with Dracut modules, filtering out well-known legitimate processes to reduce false positives. The included setup instructions detail how to configure the Elastic Defend integration with the Elastic Agent for effective monitoring. Investigative guidance is provided for analyzing alerts generated by this rule, including verification of the created file path and the executable responsible for the action. The rule also references multiple MITRE ATT&CK techniques related to persistence and execution, highlighting the broader implications of unauthorized Dracut module creation.