This detection rule identifies attempts to exploit a local privilege escalation vulnerability in Ubuntu's modifications to OverlayFS, specifically targeting CVE-2023-2640 and CVE-2023-32629. These vulnerabilities allow attackers to create specially crafted executables that, when executed, can escalate privileges to root on the affected Linux machine. The rule utilizes an EQL (Event Query Language) sequence to monitor specific patterns indicating privilege escalation attempts via the 'unshare' command. The detection occurs through monitoring processes where the command is invoked with arguments associated with privilege escalation, followed by a user ID change to root. The risk score is set at 73, marking it as a high-risk event requiring immediate investigation and potential response to mitigate any unauthorized elevation of privileges. The setup instructions outline the necessary configurations for integrating the Elastic Defend to effectively monitor endpoint events and deploy necessary threat detection capabilities. Additional investigation steps, false positive analyses, and response recommendations are included to facilitate thorough investigation and remediation actions.