This detection rule identifies the execution of processes invoked by Microsoft Connection Manager Profile Installer (CMSTP) in Windows environments. CMSTP is a Microsoft utility typically used during the configuration of network connections. Its legitimate use is rare in most modern enterprise setups, making processes initiated by it suspicious. The rule triggers whenever a process is created with a parent image that ends with \cmstp.exe, indicating that the suspicion of possible misuse of the tool should be examined. Given that CMSTP can bypass User Account Control (UAC), monitoring its invocation becomes crucial for identifying potential defense evasion tactics employed by adversaries. The alerts generated by this rule focus on processes where the parent command line includes the CMSTP executable, taking into account all command details for further forensic analysis.