diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
index a712ec52e..568fc413c 100644
--- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
+++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/12/21"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/08"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Modification of Standard Authentication Module or Configuration"
+name = "Deprecated - Modification of Standard Authentication Module or Configuration"
 references = [
     "https://github.com/zephrax/linux-pam-backdoor",
     "https://github.com/eurialo/pambd",
@@ -39,7 +39,6 @@ tags = [
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"
-
 query = '''
 event.category:file and event.type:change and
   (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and
@@ -74,7 +73,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Modification of Standard Authentication Module or Configuration
+### Investigating Deprecated - Modification of Standard Authentication Module or Configuration
 
 Authentication modules, such as PAM (Pluggable Authentication Modules), are crucial for managing user authentication in Linux and macOS environments. Adversaries may exploit these by altering module files or configurations to gain unauthorized access or escalate privileges. The detection rule identifies suspicious changes to these modules, excluding legitimate processes and paths, to flag potential unauthorized modifications.
 
diff --git a/rules/linux/persistence_pluggable_authentication_module_creation.toml b/rules/linux/persistence_pluggable_authentication_module_creation.toml
index e01f5e225..62988877d 100644
--- a/rules/linux/persistence_pluggable_authentication_module_creation.toml
+++ b/rules/linux/persistence_pluggable_authentication_module_creation.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/03/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/12/08"
 
 [rule]
 author = ["Elastic"]
@@ -42,12 +42,12 @@ type = "eql"
 query = '''
 file where host.os.type == "linux" and event.action in ("rename", "creation") and
 process.executable != null and (
-  (file.path like~ (
+  (file.path like (
     "/lib/security/*", "/lib64/security/*", "/usr/lib/security/*", "/usr/lib64/security/*",
     "/lib/x86_64-linux-gnu/security/*", "/usr/lib/x86_64-linux-gnu/security/*"
   ) and file.extension == "so") or
-  (file.path like~ "/etc/pam.d/*" and file.extension == null) or
-  (file.path like~ "/etc/security/pam_*" or file.path == "/etc/pam.conf")
+  (file.path like "/etc/pam.d/*" and file.extension == null) or
+  (file.path like "/etc/security/pam_*" or file.path == "/etc/pam.conf")
 ) and not (
   process.executable in (
     "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
@@ -58,7 +58,10 @@ process.executable != null and (
     "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
     "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*",  "/usr/bin/pamac-daemon",
     "/bin/pamac-daemon", "/usr/lib/snapd/snapd", "/usr/local/bin/dockerd", "/usr/sbin/pam-auth-update",
-    "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update"
+    "/usr/lib/systemd/systemd", "/usr/libexec/packagekitd", "/usr/bin/bsdtar", "/sbin/pam-auth-update", "./user/bin/podman",
+    "/usr/bin/dnf5", "/opt/puppetlabs/puppet/bin/ruby", "/usr/bin/crio", "/sbin/authconfig", "/usr/sbin/yum-cron",
+    "/sbin/yum-cron", "/usr/local/psa/bin/dnf_install", "/opt/jc/bin/jumpcloud-agent"
+
   ) or
   file.path like (
     "/tmp/snap.rootfs_*/pam_*.so", "/tmp/newroot/lib/*/pam_*.so", "/tmp/newroot/usr/lib64/security/pam_*.so"
@@ -66,10 +69,12 @@ process.executable != null and (
   file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
   file.Ext.original.extension == "dpkg-new" or
   process.executable like (
-    "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*"
+    "/nix/store/*", "/var/lib/dpkg/*", "/snap/*", "/dev/fd/*", "/usr/lib/virtualbox/*", "/usr/bin/python*",
+    "/opt/alt/python*/bin/python*", "/usr/libexec/platform-python*", "./snap/snapd/*/usr/lib/snapd/snap-update-ns"
   ) or
   (process.name == "sed" and file.name like~ "sed*") or
-  (process.name == "perl" and file.name like~ "e2scrub_all.tmp*")
+  (process.name == "perl" and file.name like~ "e2scrub_all.tmp*") or
+  (process.name == "perl" and event.action == "rename" and file.Ext.original.name like "*.pam-new")
 )
 '''
 note = """## Triage and analysis