This detection rule focuses on identifying potential persistence mechanisms employed by adversaries on Unix-like systems, particularly through the manipulation of RC scripts such as rc.local and rc.common. These scripts are executed during system startups, allowing attackers to run payloads with root privileges upon reboot. The rule leverages data from EDR logs to analyze modifications to these scripts, specifically looking for command invocations from editors like vi, vim, or commands such as echo and tee in relation to the aforementioned scripts. By utilizing regex to match process names and script contents, the rule captures events that suggest unauthorized alterations, which may indicate malicious activity. This approach is crucial in environments that may still utilize traditional script mechanisms despite the transition to Systemd in many distributions. The detection aligns with techniques associated with persistence and privilege escalation, providing visibility into early stages of attack. Overall, it serves as a critical check for system integrity against unauthorized startup script modifications.