This analytic detection rule monitors the use of the 'chmod' utility in Linux environments, specifically focusing on the instances where the Set User ID (SUID) or Set Group ID (SGID) bits are set on files. The SUID and SGID bits can grant users elevated privileges, allowing them to execute files with the authorization of the file owner (often root) instead of the user running the file. This detection leverages logs from Endpoint Detection and Response (EDR) agents to capture the necessary telemetry, primarily looking at process names and command-line arguments. If executed with specific arguments concerning SUID or SGID (such as *g+s* for SGID, *u+s* for SUID), this activity could suggest an attempt at privilege escalation, which is a major concern for system security. The rule effectively identifies potentially malicious actions that could compromise sensitive systems or functions if unmonitored. Implementing this detection rule can significantly enhance security posture by flagging suspicious usage of 'chmod' in critical environments.