This detection rule targets the exploitation of two specific CVEs: CVE-2021-34484 and CVE-2022-21919, which pertain to privilege escalation vulnerabilities associated with the Windows User Profiles Service. During the exploitation process, two EventIDs (1511 and 1515) are generated, indicating potential misuse related to user profile management. The occurrence of these logs suggests anomalous activity, particularly when combined with the creation of the \Users\TEMP directory, which may signify unauthorized user profile manipulation. This rule is primarily designed for Windows environments, specifically as part of application logging. It is important to note the potential for false positives, particularly in instances where user profiles are corrupted. Therefore, careful analysis should precede remedial actions to avoid misidentifying legitimate profile management activities as attacks.