Detects execution of tools from the symboliclink-testing-tools toolkit, which are commonly used to abuse Windows symbolic links, junctions, and oplocks to escalate privileges from a standard user to SYSTEM. The rule flags process creation events for a curated set of tool names (e.g., BaitAndSwitch.exe, CreateDosDeviceSymlink.exe, CreateMountPoint.exe, CreateNtfsSymlink.exe, CreateObjectDirectory.exe, CreateRegSymlink.exe, DeleteMountPoint.exe, DumpReparsePoint.exe, NativeSymlink.exe, SetOpLock.exe) across supported data sources. It leverages endpoint telemetry (process GUID, command-line, parent/child relationships, and metadata) mapped to the Endpoint data model to identify suspicious execution patterns indicative of symbolic link abuse. The detection is implemented as a Splunk search over the Endpoint.Processes CIM, correlating process_name with a comprehensive set of fields (process_path, user, dest, parent_process, integrity_level, original_file_name, etc.). Data sources include Sysmon EventID 1, Windows Security Event 4688, and CrowdStrike ProcessRollup2 to ensure coverage of process creation details and command lines. The rule includes two drill-downs to view results and a separate risk view over the last 7 days. MITRE mappings include T1222 (File and Directory Permissions Modification) and T1564.004 (Symbolic Link). When triggered, the rule reports a risk object on the destination path with a score of 50 and attributes the event to a specific parent_process_name, enabling rapid triage of potential privilege-escalation attempts. The rule emphasizes that, while powerful, some genuine administrative or testing activities may invoke these tools, so filtering for authorized maintenance is advised. References direct to the Symbolic Link Testing Tools project for context and validation.