This detection rule identifies network connections initiated by the 'notepad.exe' process on Windows systems. Notepad generally does not initiate network activity except in specific circumstances, such as when printing documents. Consequently, an unexpected connection initiated by this ostensibly benign application may indicate malicious behavior, such as process injection from a beaconing malware. The rule filters out connections that are intended for printing, specifically monitoring for unexpected traffic over other ports. This differentiation is crucial for minimizing false positives, as legitimate printing activities may result in connections on port 9100. Regular monitoring of this rule can help detect potential command-and-control (C2) activities by malicious software, which might hide within common processes. The results of this detection could lead security teams to investigate further actions taken by 'notepad.exe' as they analyze the broader context of other events.