This rule detects potential privilege escalation attempts on Linux systems where a process, granted specific capabilities (CAP_CHOWN and/or CAP_FOWNER), changes the ownership of sensitive files. The CAP_CHOWN capability permits the alteration of file ownership, while CAP_FOWNER allows processes to bypass permissions checks associated with file ownership. Attackers may misuse these capabilities to gain unauthorized access or modify critical files such as /etc/passwd, /etc/shadow, /etc/sudoers, and files within the /root/.ssh directory. This detection utilizes an EQL query to identify sequences of process execution followed by file ownership changes within a defined timeframe, particularly focusing on non-root user actions that suggest elevated privileges are inappropriately being escalated.