This rule is designed to detect potential sudo token manipulation attacks that occur through process injection, specifically by monitoring for the use of a debugger (gdb) followed by a successful user ID change event during the execution of the sudo process on Linux systems. Such an attack involves injecting malicious code into a process that possesses a valid sudo token, allowing attackers to activate their own sudo privileges. This detection leverages Elastic's capabilities, requiring the Elastic Defend integration to be in place, which captures relevant events. The rule operates by matching a specific sequence of events: first, the triggering of the gdb process where the user is not root, and subsequently a uid change to root during a sudo execution. Risk assessment of these attacks is categorized as medium due to their potential impact on privilege escalation. Investigations following alerts involve examining the process tree, reviewing logs for unauthorized sudo commands, and assessing the context of user activity leading to the uid change.