This detection rule identifies potential privilege escalation attempts on Linux systems by monitoring executions of the GNU Awk ('gawk') command with elevated privileges. The rule utilizes Endpoint Detection and Response (EDR) telemetry to track command-line invocations that include specific patterns: 'gawk' being run with 'sudo' and commands initiated by 'BEGIN{system'. Such behavior is considered suspicious as it suggests that a user is trying to execute commands with root access, which could lead to critical system control if malicious intent is confirmed. The rule applies a search query filtering through endpoint data and utilizing Splunk's capabilities to extract relevant logs from EDR agents installed on endpoints. It highlights crucial events that indicate risk and could inform security teams of potential exploitation attempts.