This detection rule identifies unauthorized file creation events in plugin directories associated with the DNF package manager on Linux systems. DNF is widely used on Fedora-based distributions for software management, where attackers may exploit plugin functionality to establish persistence through backdoors in the system. The detection logic applies EQL (Event Query Language) to monitor specific file paths while excluding actions from known trusted processes and specific file extensions that could represent benign actions. Setting up this rule requires integrating Elastic Defend, which monitors events through the Elastic Agent. The rule primarily focuses on file changes indicating potential backdoor insertion by identifying anomalies in the expected behavior of file creation and renaming in targeted plugin directories. Investigative and response guidelines are also provided to handle alerts from the detection.