This detection rule identifies potentially suspicious command-line activity targeting sensitive files related to Microsoft Teams. Specifically, it focuses on commands that include paths to the Teams cookies or local storage files but are executed by processes other than the legitimate Teams application (Teams.exe). Since the Microsoft Teams database may contain authentication tokens and other sensitive details about user accounts stored in cleartext, unauthorized access to these files can lead to credential theft or further exploitation. The rule employs a selection mechanism that triggers alerts when certain file paths are associated with non-Teams processes, alongside filtering legitimate instances to reduce false positives. The rule is critical for safeguarding user credentials and ensuring the integrity of sensitive information within Microsoft Teams in Windows environments.