This rule monitors for suspicious process creation events occurring under the SYSTEM user context on Windows operating systems. It leverages integrity levels associated with processes to differentiate between legitimate and potentially malicious activities. The detection mechanism outlines a general selection criterion where only processes with a SYSTEM integrity level are captured, while certain known benign users, denoted by 'AUTHORI' and 'AUTORI', are also filtered out to reduce false positives. The rule specifies various executable names (e.g., calc.exe, cscript.exe) commonly used in administrative tasks but can also be indicative of suspicious behavior if used inappropriately. Additionally, the CommandLine contains various suspicious flags and keywords associated with encoded commands and privilege escalation techniques, particularly those associated with credential access (e.g., 'vssadmin delete shadows', 'reg SAVE HKLM', etc.). The conditions for triggering an alert require all criteria within the selection to be met while one from a variety of filter categories excluding known tools and administrative tasks. Given the sensitive nature of actions being monitored, the rule operates with a high severity level and aims to highlight potentially nefarious actions masked under administrator roles.