This rule detects potential privilege escalation attempts on Linux endpoints by monitoring for execution of common privilege-elevation utilities (su, sudo, pkexec, passwd, chsh, newgrp) where the process is running with a root effective user (process.user.id: "0") but the real user is non-root, and the parent process is not root. It requires minimal argument usage to distinguish potentially terse abuse (e.g., sudo/pkexec with one argument; su, passwd, chsh, newgrp with two or fewer arguments). Additionally, it enforces a suspicious parent context: the parent process may be an interpreter (python*, perl*, ruby*, node, bun, java, php*, lua*, or other) or originate from user-writable paths (e.g., /tmp, /var/tmp, /dev/shm, /home, /run/user). It also flags shells (bash, sh, zsh, dash, fish, ksh) that are invoked with -c or similar command options, or with a short argument set (<=4) in the parent, which can indicate obfuscated or rapid one-liner privilege elevation. The detection targets Linux endpoint environments via process data to identify suspicious root-privilege attempts initiated by non-root users. When triggered, investigators should review the parent/child relationship, verify whether the real user should have elevated access, assess sudoers/policy, and determine if this reflects legitimate administrative activity or malicious abuse. Recommended triage steps include examining process.parent.command_line and working directory, validating any recent downloads or decodings, and pivoting for additional privilege-escalation indicators. Remediation for unauthorized activity includes containing the session, revoking elevated access, and auditing polkit/privilege policies. MITRE mapping aligns with T1548 (Abuse Elevation Control Mechanism) across subtechniques T1548.001 (Setuid/Setgid) and T1548.003 (Sudo and Sudo Caching).