Detects deletion of the MSI Rollback Script (.rbs) in C:\\Config.Msi as part of an MSI rollback privilege escalation attempt. The Windows Installer service, which runs as SYSTEM, uses Rollback Script (.rbs) and Rollback File (.rbf) to restore a failed MSI install. The C:\Config.Msi folder is protected by a stringent DACL to prevent tampering by low-privileged users, because its contents are executed by the SYSTEM-level installer during rollback. This rule flags cases where a non-msiexec process deletes an .rbs file located under C:\Config.Msi, an action that could nullify rollback safeguards and enable arbitrary code execution at SYSTEM level. The detection leverages Sysmon EventID 23 (file deletion) and filters on TargetFilename patterns C:\Config.Msi\* and *.rbs while excluding msiexec.exe as the initiator. Alert fields include host, process, target file, and time, culminating in the message: MSI rollback script file $TargetFilename$ was deleted on $dest$ by $ProcessName$. The rule maps to Endpoint CIM data models and is supported by EDR telemetry. It references CVE-2024-44193 and aligns with Windows Privilege Escalation techniques (e.g., T1218.007, T1068). False positives may occur during legitimate maintenance or MSI uninstall operations that remove rollback artifacts; require verification against approved activities.