This threat detection rule, authored by Elastic, aims to identify instances of Privilege Elevation via Parent Process PID Spoofing on Windows systems. Adversaries may spoof the Parent Process Identifier (PPID) of new processes as a technique to bypass security controls or elevate their privileges. The detection logic focuses on process creation events that originate from unwanted Parent PIDs while checking the user ID for elevated privileges, specifically the SYSTEM account. By filtering out known safe executables and monitoring for unexpected process behaviors, this rule can highlight potential malicious activities that leverage PPID manipulation for unauthorized privilege escalation.