This analytic rule detects an unauthorized registry modification that allows the 'Consent Admin' to perform elevated operations without user consent. Specifically, it monitors the Windows Registry for changes to the 'ConsentPromptBehaviorAdmin' value in the Policies System registry path, which is a critical indicator of privilege escalation attempts. If the 'ConsentPromptBehaviorAdmin' is set to '0x00000000', this indicates that user consent is bypassed, which could lead to significant security vulnerabilities, allowing attackers to execute high-privilege tasks undetected. The detection utilizes data from Sysmon Event IDs 12 and 13 and leverages the Endpoint.Registry data model.