Detects potential privilege escalation on Linux endpoints by flagging processes that run with root (effective user ID 0) while the real user and the parent process are non-root, indicating execution of binaries with Setuid/Setgid permissions. The rule analyzes process life-cycle data from Linux hosts to identify suspicious combinations of user/group IDs and parent-child process relationships. It uses two main checks: (1) the target process has user.id == 0 with real_user.id != 0 and parent.user.id != 0, or the corresponding group IDs (process.group.id == 0 with real_group.id != 0 and parent.group.id != 0); and (2) the executable or process name starts with the command line, or the parent context suggests a privilege-escalation attempt. The parent context is further scrutinized via two heuristics: a) the parent process name matches common shells or interpreters or the parent executable resides in writable or temporary directories (e.g., /tmp, /var/tmp, /dev/shm, /run/user, /home), or b) the parent is a shell (bash, dash, sh, etc.) with typical -c or similar command arguments and a small argument count (<= 4). This combination is indicative of abuse of SUID/SGID or related elevation mechanisms. The rule maps to MITRE ATT&CK technique T1548 (Abuse Elevation Control Mechanisms), with subtechniques T1548.001 (Setuid/Setgid) and T1548.003 (Sudo/Sudo Caching), under the Privilege Escalation tactic (TA0004). It analyzes data from logs-endpoint.events.process on Linux endpoints and flags high-severity events that warrant investigation. False positives may occur in legitimate automation or break-glass scenarios where SUID binaries are invoked from scripts under /home; practitioners should validate the parent identity and ticket changes before escalation. Recommended actions include containment of the session if unauthorized, revocation of elevated access, and review of sudoers/polkit configurations. References include MITRE technique mappings and the provided investigation guide included in the rule metadata.