diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml
index e9177e41c..d3edbcc11 100644
--- a/rules/linux/persistence_rc_script_creation.toml
+++ b/rules/linux/persistence_rc_script_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2023/02/28"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/06/20"
 
 [transform]
 [[transform.osquery]]
@@ -24,24 +24,23 @@ SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants
 label = "Osquery - Retrieve Crontab Information"
 query = "SELECT * FROM crontab"
 
-
 [rule]
 author = ["Elastic"]
 description = """
-This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the
-use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or
-commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the
-"systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter
-rc.local to execute malicious code at start-up, and gain persistence onto the system.
+This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start
+custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by
+Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at
+boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the
+system.
 """
 from = "now-9m"
-index = ["logs-endpoint.events.*", "endgame-*"]
-language = "kuery"
+index = ["logs-endpoint.events.*"]
+language = "eql"
 license = "Elastic License v2"
-name = "Potential Persistence Through Run Control Detected"
+name = "rc.local/rc.common File Creation"
 note = """## Triage and analysis
 
-### Investigating Potential Persistence Through Run Control Detected
+### Investigating rc.local/rc.common File Creation
 
 The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.
 
@@ -136,45 +135,50 @@ tags = [
     "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Persistence",
-    "Data Source: Elastic Endgame",
     "Resources: Investigation Guide",
     "Data Source: Elastic Defend",
 ]
 timestamp_override = "event.ingested"
-type = "new_terms"
+type = "eql"
 
 query = '''
-host.os.type : "linux" and event.category : "file" and
-event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and
-file.path : "/etc/rc.local" and not process.name : (
-  "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg"
-) and not file.extension : ("swp" or "swpx")
+file where host.os.type == "linux" and event.action in ("rename", "creation") and
+file.path in ("/etc/rc.local", "/etc/rc.common") and not (
+  process.executable in (
+    "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
+    "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
+    "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
+    "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
+    "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
+    "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
+    "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
+    "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd"
+  ) or
+  file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
+  file.Ext.original.extension == "dpkg-new" or
+  process.executable : (
+    "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
+  ) or
+  process.executable == null or
+  (process.name == "sed" and file.name : "sed*") or
+  (process.name == "perl" and file.name : "e2scrub_all.tmp*") 
+)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1037"
 name = "Boot or Logon Initialization Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/"
+
 [[rule.threat.technique.subtechnique]]
 id = "T1037.004"
 name = "RC Scripts"
 reference = "https://attack.mitre.org/techniques/T1037/004/"
 
-
-
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
-
-[rule.new_terms]
-field = "new_terms_fields"
-value = ["host.id", "process.executable", "user.id"]
-[[rule.new_terms.history_window_start]]
-field = "history_window_start"
-value = "now-7d"
-
-