This detection rule identifies suspicious network activities initiated by systemd on Linux endpoints, indicating potential backdoor persistence. Systemd, a vital service manager in Linux, can be manipulated by attackers to execute malicious scripts or commands automatically upon system startup or during specific events by altering its unit files or replacing binaries. The rule employs a sequence of events in Elastic Query Language (EQL), looking for a combination of process creation and network connection attempts that originate from systemd-managed processes. It monitors for the execution of scripting languages (such as Python, PHP, and Perl) alongside unauthorized network connections, flagging potential backdoor activity. Proper configuration and monitoring of systemd-related processes can enhance awareness of emerging threats and facilitate early detection and response strategies against this form of attack.