This analytic detection rule is designed to identify potential privilege escalation attempts on Windows systems by monitoring for instances where a user process with any integrity level (low, medium, or high) spawns a system integrity process from a user-controlled location. Such behavior is a strong indicator of malicious activity, as attackers often seek to elevate their privileges to SYSTEM level, gaining the ability to execute commands and access sensitive system resources. The rule leverages Sysmon data, focusing specifically on Event ID 15 that tracks process creation and modifications, enabling the detection of these suspicious transitions. The rule is crucial in environments tasked with protecting against unauthorized access and maintaining system integrity against various threat actors, especially considering the potential consequences like unauthorized access to sensitive data and further exploitation. The detection process involves monitoring and analyzing Sysmon logs and Windows Event Logs to capture the process creation activities that match specific criteria associated with privilege escalation behavior.