This detection rule is designed to identify potentially suspicious child processes spawned by the Windows Event Viewer application (eventvwr.exe). The primary focus is on detecting uncommon child processes that may indicate attempts to bypass User Account Control (UAC) via methods such as registry hijacking. The rule operates by monitoring process creation events and selecting instances where the parent process is eventvwr.exe. It employs a filter mechanism to exclude known legitimate child processes that typically spawn from eventvwr.exe, specifically targeting any suspicious depending processes that do not match its allowed list. The high level of alertness signifies the significance of potential UAC bypass attempts, a common technique leveraged by attackers to gain elevated permissions on compromised systems. Created by Florian Roth of Nextron Systems, this rule is part of a broader strategy to mitigate defense evasion and privilege escalation attacks.