This analytic rule detects unusual behavior involving the Windows Installer (MSIExec) spawning the Windows Debugger (WinDBG). It analyzes telemetry data from endpoints to look for instances where 'msiexec.exe' is the parent process of 'windbg.exe'. Such behavior is atypical for standard user activities and may indicate an attempt to manipulate system processes for malicious purposes, such as debugging or inspecting running processes. If detected, it raises concerns about potential privilege escalation or unauthorized persistence in the environment. This rule leverages various data sources, including Sysmon and Windows Event Logs, to monitor activity closely and responds to potential threats effectively.