[Rule Tuning] Potential Persistence via File Modification (#5404)

(cherry picked from commit 612928b)

Author: Aegrah

rules/integrations/fim/persistence_suspicious_file_modifications.toml

@@ -2,7 +2,7 @@
 creation_date = "2024/06/03"
 integration = ["fim"]
 maturity = "production"
-updated_date = "2025/01/22"
+updated_date = "2025/12/04"
 
 [rule]
 author = ["Elastic"]
@@ -21,6 +21,10 @@ name = "Potential Persistence via File Modification"
 references = [
     "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms",
     "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms",
+    "https://www.elastic.co/security-labs/continuation-on-persistence-mechanisms",
+    "https://www.elastic.co/security-labs/approaching-the-summit-on-persistence",
+    "https://www.elastic.co/security-labs/the-grand-finale-on-linux-persistence",
+    "https://slayer0x.github.io/awscli/",
 ]
 risk_score = 21
 rule_id = "192657ba-ab0e-4901-89a2-911d611eee98"
@@ -94,6 +98,10 @@ file.path : (
   "/home/*/.config/fish/config.fish", "/root/.config/fish/config.fish",
   "/home/*/.kshrc", "/root/.kshrc",
 
+  // Alias files
+  "/home/*/.bash_aliases", "/root/.bash_aliases", "/home/*/.zsh_aliases", "/root/.zsh_aliases",
+  "/home/*/.aws/cli/alias", "/root/.aws/cli/alias", 
+
   // runtime control
   "/etc/rc.common", "/etc/rc.local",