This detection rule identifies potential privilege escalation attempts to the LOCAL SYSTEM user by analyzing process creation events on Windows systems. It focuses on command-line arguments commonly associated with tools such as PsExec and PAExec, which are often leveraged by attackers to execute processes with elevated privileges. The rule uses specific command-line patterns to detect suspicious instances where these tools may be invoked or where programs are started with SYSTEM privileges without proper authorization. It notably excludes legitimate usages of these tools by applying filters to allow normal administrative tasks while signaling potential misuse effectively. It is designed to provide alerts in high-risk scenarios, thus enhancing the security posture against privilege escalation attacks.