This rule detects suspicious executions of the AdvancedRun utility within Windows, particularly when run under privileged security contexts including TrustedInstaller, SYSTEM, Local Service, or Network Service accounts. The detection focuses on the command line used to invoke AdvancedRun, identifying particular flags in the command syntax that suggest misuse of this tool for potentially malicious purposes. Given the function of AdvancedRun—allowing execution of programs with different privileges or profiles—its use in the aforementioned contexts may indicate attempts to evade existing security measures or exploit privilege escalation flaws. The filtering criteria are designed to trigger alerts on command line invocations that include specific flags, preventing unauthorized access or actions that could compromise a system’s integrity.