This detection rule identifies instances where the `chattr` command is used to make files immutable on a Linux system. An immutable file cannot be deleted, renamed, modified, or opened in write mode, making it a tactic often employed by threat actors to prevent the tampering or modification of malicious files or critical system files necessary for persistence, such as .ssh or /etc/passwd. The rule specifically targets events occurring within the past nine months, filtering for process executions that involve `chattr` with arguments related to file immutability. It emphasizes the importance of monitoring process parent executables to distinguish between suspicious and benign uses of `chattr`. The detection framework has a medium risk score of 47 and requires data from Elastic Defend or Auditbeat integrations for effective monitoring. An extensive investigation guide is provided to support incident response teams in analyzing and remediating potential threats, including strategies for handling false positives stemming from legitimate system processes.