This detection rule is designed to identify when systemd services are created on Linux systems, a common tactic employed by adversaries seeking to maintain persistence by using these services to execute malicious payloads. The rule monitors the 'auditd' logging framework for the creation of files within the standard directories where systemd service files are typically stored, namely '/usr/lib/systemd/system/' and '/etc/systemd/system/'. Additionally, it checks for any service files that may be created in user-specific locations, particularly under the directory '.config/systemd/user/'. The detection logic is based on verifying both the path and the filename criteria, triggering when a new service file is created in these locations. This rule aids in security monitoring by detecting potentially malicious service creations that could otherwise allow unauthorized command execution at system startup or user login. The inclusion of a false positive note regarding legitimate service installations emphasizes the need for further investigation when alerts are triggered.