This detection rule identifies attempts to bypass User Account Control (UAC) using specific COM objects, namely CMLUA and CMSTPLUA. It leverages Sysmon to monitor EventCode 7 calls, focusing on the loading of particular DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) that should not typically be loaded by arbitrary processes. The presence of these DLLs in unintended contexts can signify an escalation attempt, often employed by adversaries, particularly those involved with ransomware attacks. Utilizing this detection effectively involves monitoring these events to capture signs of unauthorized elevation of privileges that can lead to administrative access and system compromise. Detection is finely tuned to exclude legitimate applications, minimizing false positives while ensuring that malicious activities are identified promptly. Analysts should remain aware of application behavior to further refine detection parameters as necessary.