This detection rule identifies attempts of privilege escalation in Linux environments through the use of the GDB (GNU Debugger) with the CAP_SYS_PTRACE capability. When a process is granted the CAP_SYS_PTRACE capability, it can use the ptrace system call to observe and control other processes, which is primarily intended for debugging purposes but can be exploited by attackers to gain unauthorized access to higher privileges. The rule specifically looks for sequences where GDB is executed with elevated capabilities and subsequent processes are spawned or executed as the root user (UID/GID 0). Such activity indicates potential abuse, allowing attackers to inject code into processes running as root, thus escalating their privileges. The rule is designed to function with data from the Elastic Defend integration, ensuring that events related to process execution and capabilities are monitored. It is crucial for security teams to investigate alerts generated by this rule to determine if the GDB usage is legitimate or indicative of an attack. Specific investigation steps are outlined to assist in evaluating the context of the alerts and ensuring appropriate response actions are taken. Additionally, potential false positive scenarios are considered to help fine-tune the detection capabilities without compromising the integrity of alerting on genuine threats.