This detection rule identifies the suspicious execution of Sysinternals PsSuspend, a tool often leveraged by attackers to suspend vital processes, such as antivirus (AV) or endpoint detection and response (EDR) services. By suspending these processes, threat actors can bypass protective measures, allowing for further malicious activity undetected. The rule specifically looks for instances where PsSuspend is executed, particularly focusing on command-line arguments that suggest an intention to suspend critical security programs like Windows Defender (msmpeng.exe). The detection strategy works by monitoring process creation logs and screening for the PsSuspend executable and its arguments to ensure the integrity of system processes and avoid potential evasion tactics used by malware. The rule falls under high alert status due to its critical nature and potential impact on system security. The provided references give additional context about the PsSuspend utility and highlight its potential misuse in security contexts.