This detection rule identifies potentially malicious use of the Windows Installer service (msiexec.exe) to execute arbitrary DLLs. Adversaries often misuse msiexec.exe, which is commonly associated with legitimate software installations, to execute malicious payloads under the guise of normal installation processes. This technique falls under the tactic of defense evasion and is outlined in the Mitre ATT&CK framework under tactics T1218.007. The rule specifically looks for command-line arguments that indicate an attempt to run multiple instances of msiexec.exe with specific DLL paths that are known to be used for malicious purposes. The detection logic checks for command lines containing the executable name and includes conditions to filter out known legitimate uses of the command, reducing the likelihood of false positives. By monitoring the process creation events for unauthorized execution of DLL files via msiexec.exe, organizations can better detect and respond to potential threats.