This rule detects suspicious behavior involving the Windows Installer (MSIExec) process spawning multiple discovery commands, such as PowerShell, Cmd, or others. Typically, MSIExec does not create child processes beyond its own instances, making this behavior potentially malicious as it can indicate an attacker attempting to gather system information for exploitation or lateral movement. Utilizing data from Endpoint Detection and Response (EDR) solutions like Sysmon and Windows Event Logs, the detection rule monitors for process creation events where MSIExec is identified as the parent process.