This detection rule identifies potentially malicious command-line activity on Linux systems, specifically targeting modifications to the /etc/at.allow and /etc/at.deny files. Such alterations may enable unauthorized users to schedule tasks with escalated privileges, thereby facilitating persistent access on affected hosts. The rule utilizes telemetry from Endpoint Detection and Response (EDR) agents, focusing on processes that involve the 'echo' command in conjunction with these critical configuration files. If attackers manipulate these files, they could execute arbitrary code at scheduled intervals, leading to deeper system compromises and exposure of sensitive information. The rule effectively monitors Linux command execution while offering context for security analysts to assess the risks associated with such anomalies.