This detection rule identifies instances where a process known for exploiting User Account Control (UAC) bypass techniques spawns a child process in a user-controlled directory or invokes a command shell executable such as cmd.exe or powershell.exe. It leverages Sysmon EventID 1 data to scrutinize process relationships involving high or system integrity level processes. The focus is on detecting potential privilege escalation by attackers exploiting UAC weaknesses. If successfully executed, such techniques allow attackers to run arbitrary commands with elevated privileges, potentially compromising the affected system completely. The rule is configured to flag significant relationships based on computed parent-child dynamics of processes, and includes an implementation requirement for the environment to ingest relevant Sysmon data along with specific security log settings.