This detection rule identifies the execution of files using the utility 'msdeploy.exe', which is categorized as a Living Off the Land Binary (LOLBin). The rule looks for specific command line arguments that indicate potential malicious usage of msdeploy.exe. The command line must include 'verb:sync' as well as the parameters '-source:RunCommand' and '-dest:runCommand'. The inclusion of these parameters typically indicates that msdeploy is being misused for process execution rather than its intended configuration management purpose. The rule is set to trigger upon confirmed matches to the defined command line criteria and only considers confirmed instances where the image path ends with '\msdeploy.exe'. The rule is particularly relevant in tracking defense evasion tactics where legitimate tools are repurposed for malicious activities.