This detection rule focuses on identifying the creation of new sudoers files or modifications within the "sudoers.d" directory on Linux systems. Sudoers files are critical for defining user permissions and can be exploited by attackers to maintain persistence by granting unauthorized users elevated privileges. The rule operates by monitoring file events in the Linux environment, particularly targeting any file whose name begins with "/etc/sudoers.d/". If such file creation is detected, this may indicate an attempt to establish persistence through privilege escalation. The rule is essential for system administrators and security teams to monitor as it aligns with known attack patterns associated with maintaining user privileges in a compromised system.