This rule detects suspicious activity related to the creation of the nsswitch.conf file at locations outside the standard /etc directory, which may indicate an attempt to exploit CVE-2025-32463. The vulnerability involves tricking the sudo command into utilizing manipulated Name Service Switch (NSS) libraries and configuration files to gain unauthorized root privileges. The rule examines file creation events where the file path resembles /.../etc/nsswitch.conf, ensuring the process name is associated with shell commands that could indicate malicious intent. Additionally, it includes a comprehensive investigation guide detailing correlation with sudo or chroot executions, inspection of the file and its components, and response strategies to mitigate the risk posed by such detections. The investigation steps outline how to verify the legitimacy of the process and identify malicious activities, emphasizing the importance of proactive measurements and alerting mechanisms to safeguard systems.