This analytic detects kernel-level events where a setuid binary launches a shell or interpreter via execve() with a NULL argument vector (argv). This pattern indicates a privilege-escalation attempt to root, attempting to execute a process without constructing a legitimate argv array. The rule ingests Linux kernel/messages syslog data, parses messages that report a launching process spawning a launched process with NULL argv, and aggregates results by host, launching process, and launched process. It reports count, firstTime, lastTime, and relevant message snapshots, and applies a cleaning filter macro to reduce noise. The finding is tied to MITRE ATT&CK technique T1068 (Privilege Escalation) and is associated with CVEs CVE-2026-43284 and CVE-2026-43500. The analytic story centers on Linux Privilege Escalation. Tests reference kernel log datasets to validate true positive detections. Product coverage includes Splunk Enterprise, Splunk Enterprise Security, and Splunk Cloud, with an endpoint/ Linux focus. The rule is designed to raise alerts when legitimate setuid binaries (including su, sudo, pkexec) unexpectedly spawn shells via NULL argv, which is uncommon in normal operation and typically indicates exploitation attempts.