This detection rule identifies potentially suspicious activity indicating the creation of shell scripts stored under the `/etc/profile.d/` directory on Linux systems. Shell scripts in this directory are executed during user login, so unauthorized creations could indicate an attempt to establish persistence by malware, such as GobRAT, which uses shell scripts to facilitate its operations. The rule leverages file event logs to monitor for file creations that match specific criteria: namely, for filenames that contain the profile path and end with common shell script extensions, such as `.sh` or `.csh`. As a precaution, it is vital to filter out known legitimate script files to reduce false positives. Review of the references indicates this detection is part of a wider discourse on monitoring scripts in Linux environments for potential malicious use, reinforcing the importance of vigilant logging and monitoring processes. The rule should be deployed carefully, taking into account the acceptable noise level for your specific environment.