This detection rule aims to identify attempts to bypass User Account Control (UAC) in Windows systems through the WSReset.exe utility. UAC is a security feature designed to prevent unauthorized changes to the operating system by requiring administrative permission for certain actions. Adversaries often exploit this feature by using legitimate system processes, such as WSReset.exe, which is generally used to reset the Microsoft Store cache, to execute privileged operations without proper authorization. The rule specifically monitors process creation where the parent image ends with '\wsreset.exe' and checks for the existence of sub-processes, particularly 'conhost.exe'. If WSReset.exe is being used without its common accompanying processes, it triggers an alert for potential privilege escalation and defense evasion attempts. The conditions set forth in this rule aim to reduce false positives and increase the reliability of detection. Relevant documentation and articles provide further insights into the nature of this technique and its implications for system security.