This rule detects the creation of a NetworkManager dispatcher script on Linux systems, which are shell scripts executed by NetworkManager upon network state changes. Attackers can exploit this mechanism to gain persistence by executing malicious code in response to network events. The rule employs EQL to monitor file creation events in the '/etc/NetworkManager/dispatcher.d/' directory, specifically looking for new scripts created outside of known legitimate processes. The detection mitigates risks associated with adversaries using dispatcher scripts for unauthorized actions. Setup requirements include integration with Elastic Defend, necessitating proper configuration through Fleet. Investigation guidance includes examining the created scripts and the processes associated with their creation, coupled with recommendations for managing false positives linked to common package management and automation tools. Immediate response actions involve isolating affected systems and conducting thorough investigations to remove potentially malicious scripts and strengthen defenses.