The rule is designed to detect potentially malicious usage of the 'tscon.exe' remote session control utility when executed under the privileges of the LOCAL SYSTEM account. 'tscon.exe' allows administrators to connect to a user session on a remote desktop server or another Windows machine. Under normal circumstances, this program is invoked legitimately during administrative tasks or by service accounts. However, there are known instances of malware leveraging this utility to hijack sessions, escalate privileges, or conduct lateral movement within a network. The detection logic involves monitoring process creation events for 'tscon.exe' that originate from users whose usernames contain 'AUTHORI' or 'AUTORI'. The presence of these specific keywords suggests the application might be running in a context that warrants attention, signaling a potential privilege escalation attempt or an unauthorized access scenario.