This rule monitors for suspicious behavior indicating a potential User Account Control (UAC) bypass on Windows systems. It captures instances where a process associated with known UAC bypass techniques spawns child processes that run with higher integrity levels than the parent. This scenario could signify an attacker exploiting a UAC bypass vulnerability to escalate privileges, enabling further system compromise. The detection is implemented through Sysmon EventID 1, which provides data on process integrity levels along with additional event log entries from Windows Security. By analyzing these events, the rule helps identify unauthorized privilege escalations that could lead to malicious activities.