This detection rule specifically targets the abuse of the Windows utility "devinit.exe," which can be manipulated to download arbitrary MSI (Microsoft Installer) packages. By identifying specific command line flags that are indicative of this behavior—namely the flags ‘-t msi-install’ and ‘-i http’—the rule aims to flag potential misuse of this legitimate tool, often referred to as a Living Off The Land Binary (LOLBIN). The detection is grounded in process creation events generated on Windows systems, thus providing visibility into potentially malicious activities that leverage this utility for software installation or execution instead of legitimate administrative tasks. This behavior poses a risk as it could lead to the downloading and installation of unauthorized or malicious software. The rule has a medium severity level due to the potential for misuse alongside its legitimate use, and it is designed to assist in monitoring and defending against such exploitation attempts.