This detection rule targets the potential abuse of msiexec.exe by adversaries who exploit this legitimate Windows utility to execute unauthorized payloads. The rule specifically monitors for instances where msiexec.exe is invoked to run file types that are not standard .msi installation packages. Given that msiexec.exe is typically used for software installation, its misuse can indicate attempts at malicious execution. The logic incorporates queries to extract endpoint data and filter for suspicious execution patterns. It employs regex to capture any process invocation of msiexec that is attempting to run non-.msi files, indicating possible evasion tactics often associated with malware like Raspberry Robin and Zloader. By analyzing the frequency of unique processes, the rule flags potential abuse scenarios that require closer monitoring and investigation.