This detection rule aims to identify unauthorized modifications to the SSH authorized_keys file, which is crucial for managing user authentication on Linux and macOS systems. This file allows specified users to log in using public key authentication, making it a prime target for adversaries aiming for persistence within a compromised system. By modifying the authorized_keys file to include their own public keys, attackers can maintain access even after the initial breach is detected. The rule flags any changes made to the authorized_keys files and the SSH daemon configuration, while excluding changes made by common legitimate processes such as git, vim, and Docker. This focuses the detection on potential threats while minimizing false positives. Steps included within the rule's notes guide security teams on how to investigate alerts, including examining the process that triggered the modification, assessing user account legitimacy, and analyzing recent SSH activity.