A question and discussion session between me and my colleague prompted this debate. Does Sig 413 alert if "malacious actor 1" has admin level rights to a box... possibly having moved laterally across the network, and drops his tool kit on a system. Now some of these tools are executables hidden as .docs or .pdfs. Will HIPS identify and eliminate this threat?
My take is that the situation you named is possible, completely independent of the users credentials.
I believe the signature will trigger based solely on the detection of a double file extension.