This composed hunting rule targets Splunk deployments to detect potential privilege escalation via abuse of the UI/Dashboard endpoints. It searches for POST requests to the internal metrics UI path (splunk_internal_metrics/data/ui/views) and correlates these with downstream attempts to elevate privileges by creating privileged users. The query first captures POST method events, then appends a sub-search that looks for audittrail events indicating an edit_user operation with a create action and extracts the newUser from the raw data. It builds a timeline by _time, index, sourcetype, and host, annotating events as post_request or create_user, and then uses a transaction to link the two events within a 10-minute window. The result is tabulated with fields such as _time, index, sourcetype, host, method, user, splunk_server, operation, event, newUser, and eventcount. A macro is applied to filter for the specific Privilege Escalation pattern, forming a cohesive signal across POST activity and subsequent privileged user creation. This is explicitly a hunting/search rule that relies on internal/log data (e.g., splunkd_ui_access and audittrail) and is not a runtime payload detector. Known false positives are possible if legitimate admin actions resemble the pattern, so operator review is required. The rule references CVE-2024-36992 and MITRE technique T1189, and is intended for Splunk deployments (Enterprise, Cloud, and Enterprise Security).