This detection rule identifies the creation of a new virtual smart card via the execution of 'Tpmvscmgr.exe', a legitimate Windows utility used for managing virtual smart cards. The rule monitors process creation events where the 'Image' ends with 'tpmvscmgr.exe' and checks for the presence of the term 'create' in the command line parameters. The detection condition requires both criteria to be met, ensuring reliable identification of potential unauthorized smart card creation attempts. Given that the execution of this utility can be legitimate (for instance, when performed by administrators), the rule includes a note regarding possible false positives. Thus, implementation and monitoring should consider the context of usage to minimize misidentifications.