This detection rule identifies potentially malicious command-line executions on Linux systems that may modify user profile files to enable automatic execution of scripts upon reboot. Specifically, it focuses on alterations to files such as ~/.bashrc, /etc/profile, and related files that can establish persistence for attackers. By leveraging data from Endpoint Detection and Response (EDR) agents, the rule looks for command-line entries that include 'echo' and are directed at these profile files, which are critical to user shell environments on Linux. Confirming such behavior could indicate an attacker attempts to maintain access through persistence mechanisms, raising significant security concerns as it could lead to arbitrary code execution at system startup. The implementation requires proper ingestion and mapping of EDR logs to the corresponding processes within the Splunk ecosystem.