This detection rule, authored by Elastic, targets the potential misuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) on Windows systems. It focuses on identifying instances where adversaries exploit MSDT to execute malicious commands or binaries by manipulating process arguments. The rule uses EQL (Event Query Language) to monitor relevant process creations beginning from the last 9 months, targeting specific data sources such as endpoint process logs, Windows event logs, and Microsoft 365 Defender logs. The criteria for detection include examining the process name and arguments passed to it, with a high-risk score indicating its criticality. The rule is intended to prevent defense evasion tactics often employed by attackers. Guidelines for triaging alerts highlight the importance of examining file paths and the legitimacy of parent processes, while also addressing false positives that may arise from legitimate IT activities. Overall, the rule aids in enhancing security posture by proactively identifying suspicious MSDT behavior relevant to threat detection.