This detection rule identifies attempts to bypass User Account Control (UAC) in Windows by leveraging an elevated COM Interface, specifically through the execution of a rogue instance of ClipUp. UAC is a crucial security feature that prompts for elevated permissions to prevent unauthorized changes, and its abuse can lead to privilege escalation. The rule flags processes where ClipUp is launched from unexpected paths, particularly when originating from the dllhost.exe parent process which includes arguments indicating the use of the IEditionUpgradeManager COM interface. This indicates potential malicious actions aimed at executing code with escalated privileges without user permission. The rule integrates various data sources including Sysmon, Microsoft Defender, and Elastic solutions to monitor for these suspicious activities. Effective investigation requires cross-referencing process execution details, parent processes, and user account validations while also considering legitimate scenarios that could trigger false positives. Best practice recommendations include isolating affected systems and conducting thorough log reviews for unauthorized changes.