Vendor
This rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.