This analytic detects the execution of the 'setcap' utility on Linux systems, identifying attempts to enable the SUID (Set User ID) bit. Leveraging Endpoint Detection and Response (EDR) data, it focuses on specific command-line arguments that indicate the use of 'setcap' to grant elevated capabilities such as 'cap_setuid' and 'cap_net_bind_service'. These operations are critical as they allow a user to gain temporary root-level access, posing significant security risks related to privilege escalation and potential system compromise. The search includes filtering for process names associated with SUID modifications and their context including user and parent process names. The importance of this detection lies in the rapid identification of potentially malicious activity that could lead to unauthorized access and exploitation of system resources.