This detection rule aims to identify potential exploitation attempts of the CVE-2021-4034 vulnerability within the polkit pkexec utility, known for allowing unprivileged users to escalate their privileges to that of the root user through insecure environment variable manipulation. When an attacker leverages this vulnerability, they can inject malicious environment variables that could lead to unauthorized execution of commands with escalated privileges. The rule is set to monitor logs from Elastic Defend and other integrated endpoints, specifically looking for file paths that contain a specific pattern associated with environment variable manipulation. A risk score of 73 reflects the high severity of this potential exploit, necessitating close monitoring and rapid response to alerts triggered by this rule. The rule provides a detailed investigative procedure, addressing both detection and possible false positives arising from legitimate administrative actions.