The rule identifies attempts to bypass User Account Control (UAC) by exploiting an elevated COM interface to initiate malicious processes. This tactic is often employed by adversaries to run malware with higher privileges without triggering security alerts. Specifically, the detection targets processes that originate from temporary directories and are executed by 'ieinstal.exe' with the '-Embedding' argument. The query utilizes various data sources, including Winlogbeat and Microsoft Defender, to analyze process execution patterns that align with known UAC bypass behaviors. The rule includes a clear guide for investigation, highlighting steps to assess the legitimacy of the detected processes and potential false positives. It also outlines necessary response actions to mitigate risks if a UAC bypass is confirmed, emphasizing the importance of immediate system isolation and thorough investigation.