This rule by Elastic is designed to identify potential backdoor executions through the Pluggable Authentication Module (PAM) on Linux systems. The detection focuses on suspicious changes to SSH session IDs, followed by the execution of child processes that could indicate malicious behavior. Adversaries often leverage PAM to maintain persistence on a system by executing scripts or commands whenever a user logs in. The detection query looks for a sequence of events where a session ID change occurs in SSH processes, followed by the start of potentially harmful executable processes. This method is essential for monitoring credential access and identifying persistence tactics that could indicate compromised environments.