This analytic detects a two-step Linux privilege escalation pattern: an unprivileged user invokes the unshare syscall with user namespace flags, followed within 120 seconds by a root-owned shell or interpreter spawning under the same parent process. It correlates Linux Auditd syscall telemetry (unshare with namespace flags) with Sysmon for Linux EventID 1 process creation events to identify the characteristic sequence leveraged by user-namespace-based exploits such as DirtyFrag. By matching the unshare event’s namespace flags (e.g., CLONE_NEWUSER, CLONE_NEWNET, CLONE_NEWPID) and the subsequent spawning of a root process (su, sudo, pkexec, etc.) from the same parent, the rule flags potential privilege escalation attempts that bypass traditional isolation. The search normalizes fields to CIM-compatible names, computes elapsed time between events, and groups results by destination host, process and syscall, producing a concise alert: “Suspicious namespace created on dest indicating possible privilege escalation via DirtyFrag.” This rule maps to MITRE ATT&CK technique T1068 (Exploitation for Privilege Escalation) and is designed to surface kernel-level abuse that leverages user namespaces to escalate privileges on Linux endpoints.