This analytic rule detects the execution of the deprecated 'pkgmgr.exe' with an XML input file, an unusual activity that could signify an attempt to bypass User Account Control (UAC) in Windows environments. By monitoring the execution of this process and analyzing its command-line arguments, this rule leverages various data sources such as Sysmon and Windows Event Logs to identify potentially malicious behavior, particularly in cases where 'pkgmgr.exe' is invoked in an atypical manner, such as loading an XML file. Its deprecated status heightens its significance as modern systems and security protocols no longer rely on it. Detection of this action could indicate that an attacker is attempting to execute commands with elevated privileges, leading to unauthorized access and modifications to the system. Therefore, organizations need to deploy this analytic to mitigate risks associated with UAC bypassing techniques through the monitoring of relevant EDR telemetry.