The Linux File Creation In Profile Directory rule is designed to monitor the creation of files within the /etc/profile.d directory on Linux systems, which is commonly exploited by attackers to establish persistence. This detection focuses on filesystem events captured by Sysmon for Linux (specifically EventID 11) to identify any newly created files in this critical directory. The presence of new files suggests that adversaries may aim to manipulate system behavior by executing scripts at boot time, thereby potentially maintaining access and control over compromised systems. The rule incorporates a specific search query leveraging the Splunk platform, enabling cybersecurity teams to investigate and respond to suspicious file creation activities, which could result in privilege escalation and data exfiltration if linked to malicious actions. The rule also accounts for potential false positives associated with legitimate administrative activities. Recommendations for effective implementation and the need to adjust filters for administrator actions are provided to optimize the detection process. The inclusion of notations for associated MITRE ATT&CK techniques provides context for understanding the relevance of the detected behavior in terms of broader attack scenarios.