This analytic detection rule aims to identify potential privilege escalation attempts on Linux systems utilizing Docker. It specifically targets scenarios where Docker commands are employed to mount the root directory or execute shell commands within containers, thus posing a significant risk as an attacker with Docker privileges can manipulate critical files like /etc/passwd. The detection relies on telemetry obtained from Endpoint Detection and Response (EDR) agents, which gather information about process activities, allowing for the monitoring of specific patterns in process names and command-line usage. If such activities are flagged as malicious, they could lead to severe consequences, including full system compromise and sustained unauthorized access. The rule utilizes a structured query to analyze processes for relevant Docker interactions and outputs findings that relate to both the processes involved and the associated user accounts.