This detection rule identifies when a process is executed with user/group ID 0 (root), combined with a real user/group ID that is not 0, indicating that the process has SUID/SGID permissions. Such permissions allow processes to run with elevated privileges, which can be misused by attackers for privilege escalation or establishing persistence. The rule employs EQL (Event Query Language) to monitor processes on Linux systems, ensuring that it alerts on unauthorized usage of root capabilities typically associated with privilege escalation techniques. An extensive list of processes that when executed with elevated privileges may indicate a misuse of SUID/SGID permissions is specified in the query. It includes steps for investigation and management best practices to guide response actions against potential misuse, helping organizations to mitigate the risks associated with privilege escalation attacks.