This detection rule identifies the use of the `chmod` command to modify file permissions by setting the setgid (Set Group ID) bit. The setgid bit allows files to run with the privileges of the file's owner or group, which can lead to privilege escalation if exploited by an adversary. The rule focuses on processes that initiate this command, particularly looking for instances of `chmod` that explicitly include the `g+s` argument, indicating the intention to set the setgid bit. Importantly, the rule excludes events triggered by the root user, as these may not indicate anomalous behavior. This kind of privilege escalation is relevant in various contexts, particularly in Linux environments where file permissions govern access controls. By logging and analyzing these occurrences, administrators can detect potential misuse of elevated privileges that could lead to unauthorized access or execution of persistent malware.