This detection rule monitors for the execution of MSI files through the Windows Installer's Msiexec.exe tool. The Windows Installer uses this executable to install MSI and MSP packages, providing control over software installation. The rule specifically looks for system process events (EventCode=1) in Windows Sysmon logs that indicate the use of msiexec.exe with MSI file extensions. It's associated with various threat actors known for malware deployments, including APT-K-47, APT36, and TA505, as well as groups linked to malicious software like Clop, DirtyMoe, and others. The logic uses Splunk syntax to filter and collect relevant event data, focusing on process creation events related to msiexec with a regex match for '.msi' files. Alerts generated can help identify attempts to utilize MSI files, potentially indicating malicious activity or evasion tactics employed by adversaries.