This detection rule identifies potentially malicious use of the Linux DebugFS utility within privileged containers. The DebugFS utility allows direct interaction with filesystems and can be leveraged by attackers to access sensitive host files, leading to privilege escalation and potential host escapes. The rule triggers when the DebugFS process is initiated with specific arguments indicating access to device nodes in privileged containers, marking a security concern if not aligned with expected usage. It emphasizes the importance of monitoring container privileges and the risks associated with using DebugFS in production environments. Guidelines for investigation, false positive analysis, and incident response are provided, aiding security teams in managing and remediating potential risks effectively.