This detection rule identifies potential Windows Management Instrumentation (WMI) token impersonation activities, which can indicate a privilege escalation attempt or evasion tactic commonly employed by malware such as Qakbot. The rule is based on analyzing Sysmon EventCode 10 and specifically targets processes spawned by 'wmiprvse.exe' that exhibit duplicate handles or full granted access in a target process context. Such behavior is suspicious as it can facilitate unauthorized access to sensitive system resources. The rule is designed to alert security teams to investigate further whenever it detects the flagged activity, potentially indicating a compromised system or malicious actor attempting to elevate their access rights.