This detection rule identifies potentially malicious behavior in Windows environments where the Windows Installer service (msiexec.exe) spawns command-line interfaces like 'cmd.exe' or 'powershell.exe'. This behavior is indicative of privilege escalation attempts, where an attacker may leverage the installer to execute arbitrary commands with elevated privileges. The rule checks for instances where either 'cmd.exe' or 'powershell.exe' is invoked by the installer, specifically looking for processes that originate from the Windows Installer directory or have a common temporary file extension. Given its focus on process creation, this rule targets attacks that aim to exploit the interactions between installation processes and command execution, potentially allowing a user to run unauthorized commands after gaining privileges through the installer. It is noted that further investigation may be required due to the possibility of false positives, which are currently unspecified.