This detection rule identifies instances where the PSEXESVC service is suspiciously launched to execute a child process under the LOCAL_SYSTEM account. The significance of this behavior lies in the privilege level at which the command is executed. Remotely initiated commands executed as LOCAL_SYSTEM have escalated privileges that allow for more severe actions than those available to the user account that initiated the command. Typically, this could indicate unauthorized remote access or execution of malicious commands. The rule specifically examines Windows systems for any processes spawned by PSEXESVC that are initiated by users containing the substring 'AUTHORI' or 'AUTORI', which are commonly used in scenarios involving systems management tools or possibly as aliases for malicious actors. By monitoring these occurrences, organizations can detect potential exploitation attempts through remote command execution tools that utilize elevated privileges.