This detection rule identifies unusual executions of the `pkexec` command by monitoring related process activities on Linux systems, particularly through shell processes. `pkexec` is commonly used to execute commands as a different user, often the superuser, and misuse of this command may indicate attempts at privilege escalation or unauthorized actions. The rule utilizes a 'new_terms' setup to analyze notable executions of `pkexec` by focusing specifically on operations initiated from common shell interpreters such as bash or zsh. The risk score assigned to this rule is 21, indicating a low but notable level of concern, prompting investigation into any flagged executions. To function correctly, the rule relies on data from various integrations, including Elastic Defend, CrowdStrike, and SentinelOne. Its detection strategy employs a combination of specific process attributes and examines the command-line arguments passed to `pkexec` to identify potential misuse. The rule setup is thorough, providing necessary steps to ensure that Elastic Agent and Auditbeat are configured correctly to support detection capabilities. Lastly, the guide includes recommended investigation steps, false positive analysis, and suggested responses to detected anomalies.