This rule detects unauthorized modifications to standard authentication modules, specifically on Linux and macOS systems that use Pluggable Authentication Modules (PAM). Adversaries often exploit PAM by altering configuration files or module binaries to gain unauthorized access or elevate their privileges. The rule flags changes to PAM-related files—such as pam_*.so or files in /etc/pam.d/—using a KQL query to filter specific events categorized as 'file change'. It excludes legitimate processes to minimize false positives, focusing on potentially malicious activities. The rule has associated risk scores, severity levels, and references to relevant MITRE ATT&CK techniques linked to persistence (T1543) and credential access (T1556). Investigation steps include reviewing the triggered alerts, analyzing related process actions, and checking for legitimacy against known safe processes. The guide also provides suggestions for incident response to mitigate risks effectively.