This detection rule identifies the creation or modification of K Desktop Environment (KDE) AutoStart scripts or desktop files that execute automatically with user logon. Adversaries may exploit KDE's AutoStart functionalities for persistence on compromised systems. The rule operates by monitoring file events in specific directories where AutoStart scripts or desktop files are located. Important directories include user-specific configuration paths within '/home/' and system-wide locations like '/etc/xdg/autostart/' and '/usr/share/autostart/'. If a file event pertaining to the creation or modification of a script or desktop file is detected, it indicates a potential abuse of persistence mechanisms by malicious actors. The rule uses Elastic Query Language (EQL) and checks for specific file extensions ('.sh' and '.desktop') being altered or created within the specified paths. Analysts are encouraged to investigate such activities further, including looking into the execution chain of any unfamiliar processes and validating the context of the logged events. This rule is crucial in aiding security teams to identify potential security incidents involving Linux systems.