This analytic identifies the execution of common Linux processes utilized for elevation control, such as `chmod`, `chown`, and `setuid`. These processes are significant as they can be exploited by attackers to gain persistence or escalate privileges on compromised hosts. The detection leverages data sourced from Endpoint Detection and Response (EDR) agents, focusing on process names and their command-line executions. Monitoring this activity is crucial because confirmed malicious behavior can result in unauthorized modifications related to file attributes, ownership, or user IDs, resulting in potential loss of control over critical system resources. For implementation, logs must capture detailed telemetry from EDR agents, ensuring command-line executions and process details are properly ingested and mapped within the Splunk platform, utilizing the Common Information Model (CIM) for normalization.