This detection rule identifies potential Pluggable Authentication Module (PAM) version discovery activities on Linux systems. PAM is a crucial part of the authentication process, and attackers may exploit it for various malicious intents, including backdooring authentication mechanisms via rogue PAM modules. By monitoring the execution of specific commands—such as those querying PAM-related files like 'libpam-modules' and 'pam' using package managers like dpkg and rpm—the rule flags processes that might indicate an adversary's reconnaissance efforts. The rule is set to trigger on events captured by Elastic's Elastic Defend, and it aims to alert security teams when suspicious package management activity occurs, potentially indicating an attempt to identify or exploit PAM vulnerabilities. The rule provides comprehensive investigation guidelines and emphasizes validating alerts against legitimate system updates to minimize false positives.