This detection rule monitors the use of the Linux DebugFS utility by non-root users who are part of the 'disk' group. This capability allows these users to access sensitive files without root permissions, which can be exploited by attackers for privilege escalation. The rule checks for instances where DebugFS is executed on disk devices without the typical necessary privileges, identifying suspicious activities that may indicate unauthorized file access or privilege escalation attempts. It integrates with Elastic Defend for data collection and requires configuration through the Elastic Agent and Fleet. The rule includes detailed investigation and false-positive management guidelines to assist analysts in differentiating between malicious actions and legitimate use cases.