Detects attempts to abuse Redis CONFIG SET commands to inject SSH authorized_keys and gain persistence on Linux hosts. The rule targets unauthenticated Redis instances being manipulated via network traffic. The attacker chain involves (1) CONFIG SET dir to an SSH directory (e.g., /root/.ssh), (2) CONFIG SET dbfilename to authorized_keys, (3) SET to write a public key, and (4) BGSAVE to persist the key to disk, thereby creating a root-level SSH access point. The detection logic watches Redis protocol traffic for two patterns: CONFIG SET dir with a path containing /.ssh, and CONFIG SET dbfilename with authorized_keys, combined with an accompanying key write or persistence action. The rule is mapped to MITRE ATT&CK techniques for Persistence (SSH Authorized Keys) and Initial Access (Exploit Public-Facing Application). It relies on unencrypted Redis traffic (default port 6379); TLS-encrypted traffic cannot be inspected by Packetbeat. If triggered, investigate source IPs, verify Redis authentication/ACLs, examine /root/.ssh/authorized_keys and user SSH dirs, review subsequent SET and BGSAVE commands, check SSH login events, and audit outbound connections for lateral movement or C2.