This detection rule targets the misuse of the msiexec.exe executable, specifically looking for instances where it is used to proxy commands from common shell environments like PowerShell and CMD. The rule captures scenarios where these shells are initiated with a parent command line that contains 'MsiExec.exe -Embedding', which indicates potential malicious activity as adversaries might abuse it to execute unwanted scripts or programs covertly. This behavior is particularly relevant in defending against tactics categorized under attack.t1218.007, relating to process creation through msiexec. The inclusion of filters ensures that benign uses, like those from System32 or specific legitimate command lines, do not trigger false positives. Overall, the rule is designed to enhance monitoring capabilities associated with process creation events in Windows environments, aiding in the identification of potential defense evasion techniques.