Detects Linux process executions where the effective user is root while the real user is non-root, the command line includes the privileged -p flag (commonly used with shells to preserve privileges), and the executable path is outside standard system binary directories. This pattern aligns with abuse of setuid/setgid shells or similar privileged helpers placed in writable or non-standard locations to regain root after local compromise. The rule leverages Auditd Manager data focusing on process events (exec/executed) and maps to MITRE ATT&CK technique T1548.001 (Setuid and Setgid) under T1548 (Abuse Elevation Control Mechanism). It supports triage by inspecting process.executable, process.args, and parent relationships, corroborating user.id vs user.effective.id with login/session context, and cross-referencing on-disk binary attributes (setuid bit, ownership) and related authentication events. False positives include legitimate non-standard wrappers shipped by vendors or hardened images, and potential auditd field mapping discrepancies across versions. Remediation guidance includes isolating the host, quarantining/removing the suspicious binary, auditing all setuid binaries, and considering re-imaging if integrity cannot be established. The rule is intended for Linux hosts via Auditd Manager and requires consistent population of event.action, user.id, user.effective.id, process.args, and process.executable for reliable detection.