This rule detects a suspicious Windows endpoint sequence where an MSI installer is launched and, within a short window (max 1 minute), a remote management tool is started on the same host. Specifically, it looks for msiexec.exe starting with an install argument (/i or -i) followed by the immediate execution of commonly abused remote access software such as ScreenConnect, Syncro, tvnserver, or winvnc. The detection is implemented as a 1-minute sequence on a host: first a Windows process event for msiexec.exe with arguments including "/i"; then a subsequent process start for one of the remote management tools with indicative command lines or binary names (e.g., ScreenConnect.ClientService.exe with a guest session key pattern, Syncro.Installer.exe with --config-json and --key, or tvnserver/winvnc). The rule maps to MITRE ATT&CK technique T1219 (Remote Access Tools), specifically remote desktop software under the Command and Control tactic (TA0011 / T1219.002). Data sources include endpoint process telemetry and file events, and the rule is corroborated by telemetry from multiple security data sources (e.g., Sysmon, Windows Security logs, and third-party EDR sensors). The intent is to flag potential abuse where an attacker uses an MSI delivery to install a remote access tool and establish active remote control, which could enable C2, persistence, and data exfiltration. Recommended triage steps include verifying MSI provenance and approval for the host, inspecting the MSI’s source and delivery method, reviewing subsequent network connections to identify the remote host, correlating with other alerts (initial access, persistence, C2), and validating whether the RMM activity is legitimate. If unauthorized, isolate the host, terminate the remote access client, block the MSI installation path, and investigate attacker delivery and operator details.