This rule is designed to detect the use of the `chkconfig` binary for adding services on Linux systems, which may indicate an attempt to maintain persistence by threat actors. The `chkconfig` tool allows for the management of system services across different runlevels, and when a new service is added, it ensures that the service runs upon system startup. The rule captures execution events where the `chkconfig` command is invoked with the `--add` argument, while filtering out benign invocations from known administrative processes. When triggered, it suggests that a service was created or altered, which could be part of a malicious persistence mechanism. Detailed investigations might involve examining the service files, process trees, and related logs to determine the context of the event. Appropriate response actions may include isolating the host and removing suspicious services.