This detection rule identifies potential abuse of the Microsoft Connection Manager Profile Installer (CMSTP) by malicious actors, who may leverage this legitimate utility to execute unauthorized code. CMSTP.exe is designed to install service profiles for remote connections but can become a tool for adversaries attempting to execute payloads without raising alarms. This rule is specifically focused on detecting instances where the process CMSTP is executed alongside the installation of potentially malicious INF files. The detection logic queries EDR logs to find recent instances of CMSTP executions that fit defined patterns, such as execution with certain file types or parameters associated with malicious behavior. By monitoring this activity, defenders can gain insights into potential exploitation efforts and take action to prevent breaches.