This detection rule targets processes exhibiting potentially malicious behavior on a Windows system by monitoring for instances where a process with low or medium integrity spawns an elevated process with high or system integrity within suspicious directories. This behavior often signifies an attempt at privilege escalation by threat actors, as they seek to execute code with higher privileges for unauthorized access or operations. The detection leverages data from Sysmon Event ID 1 and Windows Event Log Security, specifically focusing on parent-child process relationships and integrity levels. Confirming such behavior can be critical, as it may lead to serious security breaches such as full system compromise.