The detection rule identifies the execution of a child process spawned by MsiExec (Microsoft Windows Installer) followed by network or DNS lookup activity. Adversaries may exploit MsiExec for initial access, using it to execute malicious payloads disguised as legitimate installations. The rule operates by monitoring processes executing with MsiExec as their parent and captures subsequent network events, which are not typical in legitimate installation scenarios. The EQL (Event Query Language) sequence specifies a timeframe of the last 9 months, focusing on Windows OS-type events by filtering for process starts under MsiExec, ensuring the child executable does not match typical paths of trusted applications. It also monitors for network or DNS activity connected to these processes. This approach is designed to identify potential misuse indicative of malware delivery or initial access attempts. Investigation involves reviewing process trees, analyzing unusual executable paths, and correlating DNS and network activities to spot deviations from standard processes. Attention is given to unusual command-line arguments that can signal malicious actions. Additionally, there’s a strong emphasis on assessing the context of alerts concerning the host role and possible compromises.