This detection rule identifies process creation via the Secondary Logon service in Windows, which allows users to run processes with different credentials. Adversaries can exploit this feature to escalate privileges and circumvent access controls by creating processes with an alternate token. The rule triggers on events where an authenticated session is created using the Secondary Logon service followed by a new process creation event. The set up requires monitoring specific Windows events, namely 4624 (successful login) and 4688 (process creation). A sequence query is used to link the logon events and subsequent process creation, filtering specifically for events related to `svchost.exe` running under the `seclogo` logon process. This ensures that legitimate administrative tasks are not flagged erroneously while focusing on potential malicious activities such as local privilege escalation. The rule is designed to help security analysts investigate unexpected uses of the Secondary Logon service, encouraging thorough examinations of user activity within the Windows environment to mitigate unauthorized access.