This detection rule utilizes machine learning to identify unusual patterns of user privilege elevation activities, specifically targeting the use of the 'runas' command or similar mechanisms on Windows systems. Such activities can signal potential account takeover or unauthorized privilege escalation, particularly when performed by users who would not typically require elevated access. The machine learning model analyzes user context switch behaviors, helping to distinguish between legitimate administrative actions and potential malicious activities. The rule is aimed at identifying atypical behaviors that deviate from normal usage patterns, thereby flagging instances where privilege elevation could be indicative of compromised accounts. Administrative users tend to use these tools more frequently, so the detection aims to identify anomalies associated with non-administrative roles exhibiting such behavior. The setup requires the enabling of associated Machine Learning jobs and the collection of relevant endpoint data through integrations such as Elastic Defend and appropriate Windows monitoring.