This detection rule monitors modifications to the 'sshd_config' file, which is crucial for configuring SSH server settings. The rule identifies commands typically used to edit this file, such as 'vi', 'vim', 'nano', and 'echo', in conjunction with the actual file name 'sshd_config'. It also tracks SSH commands to restart or start the SSH service, which may indicate an attempt to enable unauthorized access via a backdoor user account. The detection uses regular expressions to extract relevant command-line activities from the data sources and correlates these events to identify potential unauthorized manipulations of the SSH configuration. The association with TeamTNT highlights the threat actor's known tactics in compromising systems. This rule operates effectively by analyzing data collected from Linux audit logs and command-line parameters related to the process, focusing specifically on monitored Unix environments.