This rule is designed to detect suspicious activities targeting the Windows 'svchost.exe' process, commonly used by various Windows services. The focus is on accesses that fall outside normal operations, such as those attempted by malware frameworks like Invoke-Phantom. Here, the detection looks for specific access patterns to 'svchost.exe' that could indicate an attempt to compromise or evade security mechanisms, specifically in relation to terminating crucial services such as the Windows event logging service. The detection rule activates when any process attempts to access 'svchost.exe' with high-level permissions (indicated by 'GrantedAccess' being '0x1F3FFF') and features an UNKNOWN call trace — a strong indicator of potentially malicious behavior. Additionally, a filter is implemented to exclude accesses originating from legitimate development processes such as those from Microsoft Visual Studio's MSBuild, to reduce false positives.