This detection rule identifies potential unauthorized access methods by leveraging UAC bypass techniques implemented in the Empire PowerShell post-exploitation framework. Specifically, it targets the use of command-line arguments that include PowerShell commands designed to execute without a user interface. The rule parses process creation events for the presence of specific command-line patterns known to be associated with UAC bypass operations. Given that these methods are primarily used in privilege escalation attacks, detecting them can help identify potential compromise and maintain the integrity of Windows environments.