This detection rule focuses on the execution of the Microsoft Connection Manager Profile Installer (CMSTP), which can be utilized as a vector for code execution and User Account Control (UAC) bypass attacks on Windows systems. The rule identifies process access events related to CMSTP by monitoring the call trace for references to 'cmlua.dll', a dynamic link library associated with CMSTP execution. Given the capabilities of CMSTP in executing arbitrary code, detecting instances of its invocation can reveal potential attempts to exploit its functionality for malicious purposes. Adapted primarily for Windows environments, this rule helps security analysts in identifying unauthorized use of CMSTP that may indicate a breach or an intrusion attempt.