This rule monitors for the execution of the 'find' command with specific permissions associated with SUID (Set User ID) and SGID (Set Group ID) on Linux systems, which can indicate potential attempts at privilege escalation by attackers. The presence of these special permissions allows a binary to execute with the privileges of its owner rather than the executing user's privileges. This detection is vital because adversaries might exploit misconfigured binaries found during such enumeration to elevate their privileges. The rule utilizes EQL (Event Query Language) to identify processes that run the 'find' command with particular arguments that indicate the searching for SUID/SGID binaries. It incorporates a series of exclusions to filter out benign instances where legitimate users or system processes might use similar commands. The risk score of 21 indicates a low-level threat, while the rule itself is integrated into Elastic's threat detection capabilities, specifically designed for Linux endpoints. Users are advised to follow specific investigation steps and responses if such a command is detected.