This detection rule identifies the creation or renaming of Systemd service files in common directories used by both root and regular users on Linux systems. Systemd service files are configuration files that define and manage system services. They can be exploited by threat actors to create persistence mechanisms through the installation or alteration of service files, allowing for the execution of malicious commands during system startup or at routine intervals via timers. This behavior generates potential entry points for unauthorized access, further malicious activities, or evasion of detection mechanisms. Therefore, monitoring new service files is crucial for identifying potential instances of persistence.