diff --git a/rules/integrations/fim/persistence_suspicious_file_modifications.toml b/rules/integrations/fim/persistence_suspicious_file_modifications.toml
index 3d4d2b5e8..b9813e453 100644
--- a/rules/integrations/fim/persistence_suspicious_file_modifications.toml
+++ b/rules/integrations/fim/persistence_suspicious_file_modifications.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/03"
 integration = ["fim"]
 maturity = "production"
-updated_date = "2024/12/17"
+updated_date = "2025/01/16"
 
 [rule]
 author = ["Elastic"]
@@ -123,6 +123,34 @@ file.path : (
   "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*",
   "/etc/pam.d/*", "/etc/security/pam_*", "/etc/pam.conf",
 
+  // Polkit Rule files
+  "/etc/polkit-1/rules.d/*", "/usr/share/polkit-1/rules.d/*",
+
+  // Polkit pkla files
+  "/etc/polkit-1/localauthority/*", "/var/lib/polkit-1/localauthority/*",
+
+  // Polkit Action files
+  "/usr/share/polkit-1/actions/*",
+
+  // Polkit Legacy paths
+  "/lib/polkit-1/rules.d/*", "/lib64/polkit-1/rules.d/*", "/var/lib/polkit-1/rules.d/*",
+
+  // NetworkManager
+  "/etc/NetworkManager/dispatcher.d/*",
+
+  // D-bus Service files
+  "/usr/share/dbus-1/system-services/*", "/etc/dbus-1/system.d/*",
+  "/lib/dbus-1/system-services/*", "/run/dbus/system.d/*",
+  "/home/*/.local/share/dbus-1/services/*", "/home/*/.dbus/session-bus/*",
+  "/usr/share/dbus-1/services/*", "/etc/dbus-1/session.d/*",
+
+  // GRUB
+  "/etc/default/grub.d/*", "/etc/default/grub", "/etc/grub.d/*", "/boot/grub2/grub.cfg",
+  "/boot/grub/grub.cfg", "/boot/efi/EFI/*/grub.cfg", "/etc/sysconfig/grub",
+
+  // Dracut
+  "/lib/dracut/modules.d/*", "/usr/lib/dracut/modules.d/*",
+
   // Misc.
   "/etc/shells"
 
diff --git a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
index 20152cf97..4a3d7fcc1 100644
--- a/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
+++ b/rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
@@ -4,7 +4,7 @@ integration = ["endpoint", "sentinel_one_cloud_funnel"]
 maturity = "production"
 min_stack_version = "8.13.0"
 min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
-updated_date = "2025/01/08"
+updated_date = "2025/01/16"
 
 [rule]
 author = ["Elastic"]
@@ -70,7 +70,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action
 process.args : (
   // Misc.
   "/etc/rc.local", "/etc/rc.common", "/etc/rc.d/rc.local", "/etc/init.d/*", "/etc/update-motd.d/*",
-  "/etc/apt/apt.conf.d/*", "/etc/cron*", "/etc/init/*",
+  "/etc/apt/apt.conf.d/*", "/etc/cron*", "/etc/init/*", "/etc/NetworkManager/dispatcher.d/*",
+  "/lib/dracut/modules.d/*", "/usr/lib/dracut/modules.d/*",
 
   // XDG
   "/etc/xdg/autostart/*", "/home/*/.config/autostart/*", "/root/.config/autostart/*",