The proposed detection rule identifies the installation of AteraAgent, a remote monitoring and management (RMM) tool. Adversaries may exploit such software to set up command and control channels with the aim of administering compromised systems covertly. This kind of remote access software can be legitimate but could also be misused for unauthorized access post-compromise. By monitoring Windows event logs, especially the Event Code 1033 related to software installations through the MsiInstaller, the rule captures key data attributes which indicate when AteraAgent is being installed. The logic captures events and organizes data by time, host, and user while also detailing the process, enabling analysts to investigate potential misuse of this tool.