This detection rule identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface, which attackers may exploit to execute code with elevated permissions without user consent. The rule leverages event logs from various Windows sources to monitor process activity, specifically looking for instances where the process `dllhost.exe` is started with certain suspicious arguments indicative of UAC bypass. By instructing the rule to exclude legitimate processes like `WerFault.exe`, the detection focuses on potentially malicious activity. The high-risk score of 73 reflects the seriousness of the UAC bypass threat, which falls under the MITRE ATT&CK tactics of Privilege Escalation, Defense Evasion, and Execution, notably identifying misuse of the Abuse Elevation Control Mechanism (Technique T1548). Investigation and response recommendations emphasize the need for thorough review of the system context and immediate isolation of affected hosts if malicious activity is confirmed. False positives are addressed by identifying and excluding legitimate software behaviors from triggering the rule, thereby allowing for more accurate and effective threat detection.