This analytic detection rule aims to identify suspicious handle duplication activities within specific known Windows utilities that are often targets for User Account Control (UAC) bypass attempts. The rule utilizes Sysmon EventID 10 data to track instances where processes, especially trusted and signed executables, are involved in anomalous handle duplication operations. By monitoring actions performed on binaries like ComputerDefaults.exe and Eventvwr.exe, it captures potential privilege escalation attempts. The detection flags activities where handles or tokens are improperly duplicated, which might indicate malicious attempts to run processes with elevated privileges without the necessary user consent. Alerting mechanisms assist in escalation response, allowing for thorough investigations leveraging process trees, handle information, and other relevant attributes.