The Linux c99 Privilege Escalation detection rule is designed to identify instances where the c99 PHP web shell is executed with sudo privileges on Linux systems, potentially leading to privilege escalation and system compromise. This analytic leverages data from Endpoint Detection and Response (EDR) agents, particularly focusing on process execution logs that include command-line details. The detection seeks commands that involve the execution of 'c99' in conjunction with 'sudo', suggesting that an unauthorized attempt may be made to gain root access. By querying the Endpoint Processes data model in Splunk, this rule aims to highlight suspicious process behavior indicating potential misuse of the c99 shell. Confirming malicious behavior could lead to the execution of dangerous commands as root, which poses a significant risk to system integrity and sensitive data. As the landscape of Linux vulnerabilities evolves, monitoring for such anomalies remains essential for maintaining robust cybersecurity hygiene.