This rule is designed to detect the creation or modification of files related to the dynamic linker on Linux systems. The dynamic linker is a critical component of the Linux OS that loads and executes programs by managing shared libraries. Attackers may target dynamic linker configurations to manipulate program flow for malicious purposes. The rule targets specific files in the paths of `/etc/ld.so.preload`, `/etc/ld.so.conf`, and `/etc/ld.so.conf.d/*`, which are essential for the dynamic linker's operation. By utilizing Elastic Defend data, this rule monitors for file creation or renaming events that could signify an unauthorized modification to these essential configurations. The rule has a medium severity and a risk score of 47, indicating that such modifications could represent a significant threat. It explicitly excludes benign processes, known package management commands, and file extensions to minimize false positives. Alongside detection, the rule encourages investigation steps, including validation of processes and file origins, and outlines response and remediation strategies if a threat is identified.