This detection rule targets the UAC (User Account Control) bypass technique involving the 'iscsicpl.exe' process on Windows systems. The method exploits a DLL (Dynamic Link Library) Search Order hijacking vulnerability, allowing attackers to load arbitrary DLLs from user-controlled locations, particularly within the user's %PATH%, such as the Temp directory. Attackers can use this technique to escalate privileges by tricking the system into executing malicious code when 'iscsicpl.exe' is invoked. The detection logic analyzes image loads for 'iscsicpl.exe' and checks if the loaded image ends with 'iscsiexe.dll', while ensuring that the image is not coming from the known system directory, which helps to filter out legitimate use cases. The approach mitigates risk by pin-pointing potentially malicious behaviors that signify attempts to bypass UAC protections.