This detection rule identifies potential User Account Control (UAC) bypass attempts through manipulation of the registry key associated with sdclt.exe, as observed in the recent techniques documented in UACMe. Specifically, it focuses on detecting changes to specific registry keys that suggest an attacker is attempting to escalate privileges by exploiting the behavior of the Windows operating system's UAC mechanism. The rule distinguishes between two criteria: one pertaining to the command for the 'runas' verb for executable files, and the other regarding symbolic links manipulated in folder command entries. The condition for triggering is met if any one of these selections is matched, indicating a possible UAC bypass event.