diff --git a/rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml b/rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml
new file mode 100644
index 000000000..028af5e7a
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml
@@ -0,0 +1,30 @@
+title: Linux Setgid Capability Set on a Binary via Setcap Utility
+id: 3a716279-c18c-4488-83be-f9ececbfb9fc
+status: experimental
+description: |
+    Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
+    This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
+    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
+references:
+    - https://man7.org/linux/man-pages/man8/setcap.8.html
+    - https://dfir.ch/posts/linux_capabilities/
+    - https://juggernaut-sec.com/capabilities/#cap_setgid
+author: Luc Génaux
+date: 2026-01-24
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1548
+    - attack.t1554
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/setcap'
+        CommandLine|contains: 'cap_setgid'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml b/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml
new file mode 100644
index 000000000..753668d95
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml
@@ -0,0 +1,30 @@
+title: Linux Setuid Capability Set on a Binary via Setcap Utility
+id: ed447910-bc30-4575-a598-3a2e49516a7a
+status: experimental
+description: |
+    Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
+    This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
+    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
+references:
+    - https://man7.org/linux/man-pages/man8/setcap.8.html
+    - https://dfir.ch/posts/linux_capabilities/
+    - https://juggernaut-sec.com/capabilities/#cap_setuid
+author: Luc Génaux
+date: 2026-01-24
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1548
+    - attack.t1554
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/setcap'
+        CommandLine|contains: 'cap_setuid'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml
index 87811e044..4916afd19 100644
--- a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml
@@ -8,7 +8,7 @@ references:
     - https://github.com/diego-treitos/linux-smart-enumeration
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-12-28
-modified: 2024-03-05
+modified: 2026-01-24
 tags:
     - attack.discovery
     - attack.t1083
@@ -18,7 +18,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '/getcap'
-        CommandLine|contains|windash: ' -r '
+        CommandLine|contains: ' -r '
     condition: selection
 falsepositives:
     - Unknown