Product
This rule detects suspicious sequences where a non-root user launches a high-risk parent process and then executes a common privilege elevation helper gaining an effective UID of 0 while the real UID remains non-root, potentially indicating misuse of SUID/SGID helpers or privilege escalation attempts.