diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
index 7b4c2af3f..370539d6d 100644
--- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
@@ -3,7 +3,7 @@ creation_date = "2020/04/29"
 maturity = "production"
 min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
-updated_date = "2022/03/31"
+updated_date = "2022/07/20"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "eql"
 license = "Elastic License v2"
 max_signals = 33
-name = "Creation of Hidden Files and Directories"
+name = "Creation of Hidden Files and Directories via CommandLine"
 note = """## Setup
 
 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml
new file mode 100644
index 000000000..e6937f26f
--- /dev/null
+++ b/rules/linux/defense_evasion_hidden_shared_object.toml
@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2022/07/20"
+maturity = "production"
+updated_date = "2022/07/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a "." as the first character in the file or folder name.
+Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+max_signals = 33
+name = "Creation of Hidden Shared Object File"
+note = """## Setup
+
+If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
+"""
+risk_score = 47
+rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" 
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+[[rule.threat.technique.subtechnique]]
+id = "T1564.001"
+name = "Hidden Files and Directories"
+reference = "https://attack.mitre.org/techniques/T1564/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+