This detection rule identifies potential User Account Control (UAC) bypass attempts that utilize hijacked DiskCleanup scheduled tasks to execute malicious code with elevated privileges. UAC is a critical security feature in Windows designed to prevent unauthorized changes to the operating system by ensuring that actions are confirmed by the user or an administrator. Malicious actors can exploit the DiskCleanup Scheduled Task by triggering it with unexpected command-line arguments, circumventing UAC prompts that would typically block unauthorized access. This rule captures process creation events with specific arguments (such as "/autoclean" and "/d") that are associated with DiskCleanup, while also ensuring that the executable does not match known legitimate paths. A high-risk score highlights the severity of this potential threat, and the rule is designed to help security teams investigate and respond to suspicious activities that may indicate a UAC bypass. The comprehensive analysis guide provides detailed steps to verify suspicious activities, consider possible false positives, and guide remediation efforts to mitigate these risks effectively.