This rule detects attempts to exploit a heap-based buffer overflow vulnerability in the Sudo utility on Unix-like systems, identified as CVE-2021-3156. The vulnerability can allow an unprivileged user to escalate privileges to the root user. The rule uses a query targeting process events where Sudo or Sudoedit is invoked with suspicious argument patterns, specifically those including a backslash along with either '-i' or '-s'. Given the specificity to certain versions of Sudo, it considers various operational contexts that could lead to false positives, such as legitimate administrative tasks and automated scripts.