This detection rule identifies the use of the Linux binary `getcap`, which is commonly employed during reconnaissance activities to discover capabilities associated with binaries, particularly concerning privilege escalation. The ability to list capabilities allows an attacker to identify binaries that can be leveraged for malicious purposes, especially as documented in GTFOBins resources. The rule triggers on process creation events where the command line arguments include specific indicators associated with `getcap` usage. This type of detection is critical because it can help system administrators and security professionals identify potentially malicious scanning or probing behavior aimed at privileges on Linux systems.