This detection rule targets potential malicious activity involving the use of `chroot` in combination with mount operations on Linux systems, particularly in Docker environments. Threat actors have been observed using exposed Docker APIs to leverage `chroot`, allowing them to change the apparent root directory for processes to `/mnt`, a directory often utilized for mounting filesystem operations. The rule checks for instances where commands related to `chroot` are executed alongside mounting commands, indicating a possible escalation attempt by an adversary. The logic employs Splunk to filter for events where the `process` matches the pattern of using `chroot` towards either `/mnt` or the `mount` command. Captured data includes the event time, host, user, executed process, relevant system calls, and any associated filenames. By analyzing these logs, security teams can identify unauthorized or suspicious attempts to manipulate the filesystem hierarchy, helping to mitigate potential threats.