This detection rule identifies potential exploitation attempts of CVE-2025-32463, specifically targeting the misuse of the 'sudo' command with the '--chroot' or '-R' option. An attacker may exploit this vulnerability to execute malicious code with elevated privileges by tricking the 'sudo' command into using attacker-controlled NSS (Name Service Switch) files or libraries. The rule utilizes EQL (Event Query Language) to analyze event data from multiple endpoints and threat detection platforms, searching for instances of 'sudo' initiating with 'chroot' parameters. The risk associated with this behavior is assessed as high, as it signals potential unauthorized privilege escalation. Key investigation steps include examining the parameters passed to 'sudo', identifying recent changes in associated directory contents, and establishing the legitimate context of such commands to differentiate between benign administrative actions and malicious activities. The rule mandates data sources including logs from Elastic Defender, Crowdstrike, and various Linux-centric integrations to correlate these events effectively. Furthermore, it lays out comprehensive triage, response, and remediation measures for security practitioners to handle suspicious activities appropriately, including isolating affected hosts and revoking user privileges as necessary.