This detection rule identifies potential instances of remote installations via `MsiExec`, a Windows utility used to execute installation packages. Adversaries often misuse `MsiExec` for initial access and malware delivery by disguising malicious payloads as legitimate installations. This rule leverages EQL (Event Query Language) to track suspicious child processes spawned by `MsiExec` that initiate atypical network activity, potentially indicative of hostile actions. Investigation steps include analyzing process chains, scrutinizing executable paths, and reviewing associated network connections for unusual activity that diverges from normal legitimate behavior. The rule aims to mitigate risks associated with malware deployment and improve security response by outlining potential false positives and remediation measures.