diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
new file mode 100644
index 000000000..76e8dad4c
--- /dev/null
+++ b/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2023/06/06"
+integration = ["cloud_defend"]
+maturity = "production"
+min_stack_comments = "New Integration: Cloud Defend"
+min_stack_version = "8.8.0"
+updated_date = "2023/06/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. 
+The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying 
+the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and
+has been used to evade detection of malicious processes in container environments. 
+"""
+from = "now-6m"
+index = ["logs-cloud_defend*"]
+interval = "5m"
+language = "eql"
+license = "Elastic License v2"
+name = "Modification of Dynamic Linker Preload Shared Object Inside A Container"
+references = [
+    "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
+    "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", 
+    "https://sysdig.com/blog/threat-detection-aws-cloud-containers/",
+] 
+risk_score = 73
+rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee"
+severity = "high"
+tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "Tactic: Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+[[rule.threat.technique.subtechnique]]
+id = "T1574.006"
+name = "Dynamic Linker Hijacking"
+reference = "https://attack.mitre.org/techniques/T1574/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"