This detection rule targets the installation of MSI packages from potentially suspicious locations on Windows systems. It focuses on events generated by the MsiInstaller whenever certain Event IDs (1040 and 1042) are recorded. Specifically, this rule identifies MSI installations occurring from directories typically associated with temporary files, such as \Windows\TEMP\, Desktop, and Users\Public. In addition, it implements exclusions for Windows Package Manager installations and specific temporary health tools to minimize false positives. The intention of this rule is to mitigate risks associated with unwanted software installations which could indicate malicious activity, such as exploit attempts through rogue MSI installations. Critical to its implementation is the necessity of establishing a baseline for legitimate install paths to effectively differentiate between malicious and benign activities, as there may be instances where installations from these directories are warranted. Proper adjustment and baselining will help refine detection and reduce noise in alerts.