This rule detects attempts to create new user groups on Linux systems, which can be a tactic used by attackers to establish persistence or to escalate privileges. It identifies the execution of commands like 'groupadd' and 'addgroup' through the Elastic Query Language (EQL) by monitoring for events where the event type is 'group' and indicates a 'creation'. When such events are logged, it can signal potential malicious activity, as new groups can be created and assigned to compromised accounts to maintain unauthorized access. The rule includes a comprehensive investigation guide suggesting checks related to group creation successes, the addition of users into the created groups, and the login status of those users. Because group creation is a common administrative action, the investigation should also consider legitimate use cases to avoid false positives. Recommendations for incident response procedures are provided after confirming malicious activities. This rule aims to enhance detection capabilities for potential persistence mechanisms employed by attackers in Linux environments.