This anomaly rule detects a specific Linux authentication anomaly where the su command is invoked from a binary that has been page-cache-corrupted. In normal operation, su logs both the target account and the invoking user; when exploitation occurs via this path, the invoking user field is absent, indicating a potential privilege-escalation attempt to obtain root access. The rule processes Linux Secure logs (via the Splunk Add-On for Unix and Linux) to extract target_user and source_user from su-related events and filters for events where the source_user is effectively empty. It then aggregates results by process, reporting the count, first and last times, distinct target users, and affected hosts. This supports rapid detection and investigation of possible privilege escalation on Linux endpoints. The analytic context is Linux Privilege Escalation, with a referenced CVE-2026-31431 scenario and alignment to MITRE ATT&CK technique T1068. The rule is designed for Splunk environments (Splunk Enterprise, Splunk ES, Splunk Cloud) and provides endpoint visibility for Linux systems.