This detection rule identifies the execution of the NPS (Nginx Pusher Server) tunneling tool, which is a known utility for creating port forwarding and intranet penetration through a proxy server. The rule specifically focuses on detecting any instances of the `npc.exe` process, which is associated with NPS, by checking the command line parameters for specific flags and configurations indicative of this tool's use. Furthermore, it verifies against known hashes of this executable to ensure authenticity. Possible detection scenarios include checking if the command line contains certain flags typical for NPS usage, the presence of specific file hashes, or if the image ends with `\npc.exe`. The rule has a high severity level due to the potential misuse of NPS for establishing command-and-control channels or for remote access. False positives may occur from legitimate uses of NPS in a business context, hence careful contextual review of alerts is recommended.