This detection rule targets the execution of Microsoft Connection Manager Profile Installer (CMSTP) via registry events. It analyzes activities where the target object contains the string '\cmmgr32.exe', which is associated with CMSTP. Given the nature of CMSTP, it has been known to be leveraged by attackers for bypassing User Account Control (UAC) and executing malicious payloads. The rule is implemented through Sysmon configuration, which allows for detailed monitoring of Windows registry changes. It is particularly effective in identifying unauthorized or suspicious executions that exploit a legitimate utility for malicious purposes. While this rule primarily focuses on detecting potential abuse in environments that might otherwise utilize CMSTP legitimately, the emphasis remains on identifying attacks that fall under the categories of defense evasion and execution tactics used in lateral movement or escalation. As such, organizations are encouraged to apply this detection rule within their Windows environments to enhance visibility into the potential misuse of CMSTP and to mitigate risks associated with such exploitation.