diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
index 3b93dd57a..7f7bed9f7 100644
--- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
+++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/17"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2026/03/24"
+updated_date = "2026/04/30"
 
 [rule]
 author = ["Elastic"]
@@ -126,7 +126,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action
   ) or
   (process.name == "ip" and ((process.args == "-force" and process.args in ("-batch", "-b")) or (process.args == "exec"))) or
   (process.name == "find" and process.args in ("-exec", "-execdir")) or
-  (process.name in ("bash", "csh", "dash") and process.args in ("-p", "-b"))
+  (process.name in ("bash", "csh", "dash") and process.args in ("-p", "-b")) or
+  (process.name in ("su", "sudo", "pkexec") and process.args_count == 1)
 ) and not (
   process.parent.name == "spine" or
   process.parent.executable in (