This rule aims to detect potential User Account Control (UAC) bypass attempts through the execution of the Windows utility sdclt.exe (Windows Task Scheduler). The detection is based on the observation that sdclt.exe, when spawned with a high integrity level, could indicate malicious intent to elevate privileges or evade security measures. The rule looks for process creation events where the image name ends with 'sdclt.exe' and checks if the integrity level is either 'High' or matches a specific security identifier (S-1-16-12288) associated with elevated processes. If both conditions are met, the process could potentially be involved in UAC bypass techniques, raising an alert for further investigation.