This detection rule identifies the creation of Pluggable Authentication Module (PAM) shared object files in atypical directory locations on Linux systems, where attackers may seek to establish persistence or harvest credentials. Malicious PAM files are often compiled in temporary or unconventional directories and later moved to the system directories, posing a substantial security threat. The rule utilizes EQL to query log data for file creations that match the naming convention 'pam_*.so', while filtering out legitimate processes and known safe directories. False positives may arise from trusted system updates or benign PAM module configuration changes. Consequently, this rule aids in identifying potentially malicious activities that deviate from official PAM usage patterns.