This rule aims to detect unauthorized creation or modification of Pluggable Authentication Module (PAM) shared object files and configuration files on Linux systems. Such changes may indicate an attacker is attempting to gain persistence on a compromised system or capture user credentials. The rule utilizes EQL (Event Query Language) to monitor file events specifically targeting directories associated with PAM, and evaluates plugin and configuration files. It excludes well-known legitimate processes to limit false positives from typical package management operations. The risk score of this rule is categorized as medium, suggesting moderate likelihood of abuse under relevant conditions.