This detection rule identifies potential malicious activity involving SSH (Secure Shell) processes, specifically focusing on file changes associated with known SSH backdoor log files. Adversaries may exploit SSH by modifying binaries to maintain unauthorized access or log credentials. The rule is designed to catch unauthorized modifications to SSH-related binaries and log files by tracking changes in files linked to the process executables of SSH clients and servers. The associated query examines file changes on Linux systems, checking for any alterations triggered by SSH processes such as '/usr/sbin/sshd' or '/usr/bin/ssh' and filtering based on specific file attributes that could indicate backdoor activity, including names, extensions, and paths commonly targeted by threat actors.