This analytic rule detects attempts to execute arbitrary commands through the Windows Troubleshooting tool, msdt.exe, utilizing Endpoint Detection and Response (EDR) data. It focuses on commands invoked through the ms-msdt:/ protocol, which can be abused to execute remote payloads. Such misuse of msdt.exe poses serious risks, as it may allow attackers to gain unauthorized code execution and escalate privileges, effectively compromising the security of the system. The detection strategy involves monitoring for specific patterns in process execution logs and requires integration with relevant data logging systems like Sysmon and Windows Security logs. If identified, the detected use of msdt.exe should be a point of investigation for potential exploitation instances.