This detection rule focuses on identifying specific patterns indicative of a User Account Control (UAC) bypass exploit using the Disk Cleanup Utility on Windows systems. The technique leverages scheduled tasks in combination with variable expansion of the cleanmgr.exe process, as documented in UACMe (specifically technique 34). The rule looks for process creation events where the command line of the executed process ends with 'C:\system32\cleanmgr.exe /autoclean /d C:', indicating a potentially malicious use of the Disk Cleanup Utility to escalate privileges. Additionally, it checks the parent command line to ensure that this action is initiated by 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule', which is characteristic of legitimate processes managing system tasks. The rule further filters based on high integrity levels, which are often associated with elevated privileges and malicious activity. By capturing these specific attributes, the rule helps to flag attempts to bypass UAC and gain unauthorized access privileges.