This analytic detection rule aims to identify a potential UAC (User Account Control) bypass exploit that utilizes the colorui.dll COM object. UAC bypass techniques are a common tactic employed by malware, such as LockBit ransomware, to escalate privileges without prior user consent. The rule operates by monitoring Sysmon EventCode 7 to detect instances where the colorui.dll library is being loaded by any process other than the expected colorcpl.exe, particularly when it originates from non-standard paths, excluding well-known system directories like Windows or Program Files. If such an anomalous loading event is detected, it signifies a potential compromise that could allow further malicious actions with elevated privileges. The rule therefore plays a critical role in identifying malicious activities and enhancing the overall security posture within an endpoint environment.