This detection rule is aimed at identifying instances where executables running under the privileged NT AUTHORITY\SYSTEM account are registered in the Background Activity Moderator (BAM) registry key on Windows systems. The BAM service keeps track of executables executed locally, specifically logging them under 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\<SID>', where entries are linked to specific user SIDs. It is critical because the NT AUTHORITY\SYSTEM account possesses the highest privilege level on Windows, thus any executable running with this account could potentially be malicious if exploited. The detection logic queries Windows event logs for Event Code 4657, which indicates changes to the registry. The rule further refines the results to specifically identify executables (identified by the .exe extension) that were registered under the BAM for the SYSTEM account. This behavior is relevant in the context of privilege escalation vulnerabilities, notably exemplified in CVE-2024-30088, which illustrates how attackers may exploit software vulnerabilities to gain elevated privileges. By monitoring BAM entries for suspicious executables, defenders can identify potential exploitation of the system.