This detection rule identifies instances of failed installations related to Microsoft Exchange Transport Agents by monitoring specific Windows Event Logs. The core logic hinges on detecting EventID 6, which indicates a failure during the installation process. The rule specifically looks for events that contain the string 'Install-TransportAgent' in the data field, which is characteristic of attempts to install an Exchange Transport Agent. By focusing on the AssemblyPath field, the rule can differentiate between potentially malicious activities and legitimate installations. Organizations should be cautious to validate the context around failed installations, as benign operational issues may trigger the same events. The author, Tobias Michalski from Nextron Systems, designed this rule to help identify potential persistence mechanisms that attackers might leverage in compromised Exchange environments.