This detection rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities through the use of the setcap command. In Unix-like operating systems, the setuid and setgid attributes allow a process to execute with the privileges of the file owner or group. This functionality can be exploited by threat actors for establishing malicious persistence by creating unauthorized binaries that execute with elevated permissions. The rule utilizes EQL to capture process creation events specifically targeting the setcap command to identify potential malicious attempts to alter file capabilities. It provides investigation guidelines for reviewing affected binaries, their execution context, and associated user behaviors to discern whether the activity aligns with a legitimate administrative action or represents a compromise.