diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml
new file mode 100644
index 000000000..1590b6bd4
--- /dev/null
+++ b/rules/linux/persistence_message_of_the_day_creation.toml
@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2023/02/28"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
+min_stack_version = "8.6.0"
+updated_date = "2023/04/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or
+a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and
+"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a
+serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a
+user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially
+malicious files within the default MOTD file directories.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Potential Persistence Through MOTD File Creation Detected"
+references = [
+    "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"
+]
+risk_score = 47
+rule_id = "96d11d31-9a79-480f-8401-da28b194608f"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"]
+type = "new_terms"
+
+query = '''
+host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and 
+file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not 
+process.executable : ("/usr/bin/dpkg" or "/usr/bin/dockerd" or "/bin/rpm") and not 
+file.extension : "swp"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1037"
+name = "Boot or Logon Initialization Scripts"
+reference = "https://attack.mitre.org/techniques/T1037/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["file.path", "process.name"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"
\ No newline at end of file
diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml
new file mode 100644
index 000000000..4d9fa68ca
--- /dev/null
+++ b/rules/linux/persistence_message_of_the_day_execution.toml
@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2023/02/28"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/04/03"
+
+[rule]
+author = ["Elastic"]
+description = """
+Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH 
+or a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" and 
+"/usr/lib/update-notifier/" directories. These scripts run as the root user every time a user connects over SSH or a 
+serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a 
+user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially 
+malicious processes through the MOTD utility. 
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Process Spawned from MOTD Detected"
+references = [
+    "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"
+]
+risk_score = 73
+rule_id = "4ec47004-b34a-42e6-8003-376a123ea447"
+severity = "high"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "linux" and 
+event.type == "start" and event.action : ("exec", "exec_event") and
+process.parent.executable : ("/etc/update-motd.d/*", "/usr/lib/update-notifier/*") and
+process.executable : ("*sh", "python*", "perl", "php*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1037"
+name = "Boot or Logon Initialization Scripts"
+reference = "https://attack.mitre.org/techniques/T1037/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"