Detects suspicious sequences on Linux hosts where a non-root user starts a high-risk parent process (an interpreter, a shell one-liner, or a binary launched from a user-writable path) and then immediately invokes a privilege-escalation helper (su, sudo, pkexec, passwd, chsh, newgrp) to gain effective UID 0 while the real UID remains non-root. This behavior can indicate misuse of SUID/SGID mechanisms, polkit/sudo abuse, or interactive privilege escalation captured via Auditd telemetry. The rule is evaluated against Auditd Manager data and is tuned for short-lived parent-child process chains within a brief time window.