This detection rule aims to identify attempts to bypass User Account Control (UAC) using the Microsoft Connection Manager Profile Installer (CMSTP) with auto-elevation capabilities. UAC bypass techniques through the execution of COM objects can pose significant security risks, allowing malicious actors to elevate their privileges without proper user consent. The detection strategy focuses on the execution of processes that are associated with known CMSTP UAC bypass identifiers (IDs 41, 43, 58, and 65) and monitors the behavior of the process creation events linked to DllHost.exe, a legitimate Windows host process commonly used for COM object applications. The rule specifies that a combination of certain command line parameters indicative of UAC bypass attempts and high integrity levels should trigger an alert, thereby aiding in the detection of potential privilege escalation attacks. Legitimacy checks are included to reduce false positives linked to legitimate CMSTP usage. This rule is categorized under Windows process creation activities, making it highly relevant for organizations using Windows environments.