This detection rule identifies a specific method of bypassing User Account Control (UAC) on Windows systems using a .NET Code Profiler alongside DLL hijacking techniques targeting the mmc.exe executable. The rule is particularly aimed at detecting attempts that involve creating and using the pe386.dll file from the local AppData emp directory, which is a common tactic in privilege escalation attacks. UAC bypass methods exploit the way Windows provides a mechanism for applications to run with administrative privileges, but does so without the user's consent or knowledge. The detection leverages file event logs to monitor for any actions that start with a path indicating a user profile and specifically checks for the DLL file being accessed. The presence of this specific DLL file being loaded in this context can be highly indicative of malicious intent, as it aligns with known patterns of UAC bypasses documented in public research, such as UACMe.