This detection rule identifies potential privilege escalation attempts in Linux systems by monitoring for processes that leverage the CAP_SETUID and CAP_SETGID capabilities to change their user and group IDs to root (UID/GID 0). The rule utilizes EQL (Event Query Language) to create a sequence that detects when a process starts with the ability to change its UID/GID, followed by an event that indicates a change to UID/GID 0. Various benign processes are excluded to minimize false positives, including known system utilities and management tools. This rule highlights a common technique exploited by attackers to gain unauthorized administrative access, thus enhancing the security posture against privilege escalation threats.