This detection rule identifies potential exploitation of the Microsoft Support Diagnostic Tool (msdt.exe) by monitoring for suspicious command-line execution involving the use of the '-cab' flag in combination with .diagcab files. Activating msdt.exe with the cab flag can indicate attempts to run diagnostic cabinet files that contain embedded answer files, potentially related to the CVE-2022-30190 vulnerability. The particular conditions for triggering this detection involve monitoring the process creation logs for instances where msdt.exe is executed with specific command line arguments indicating the use of cab files. Furthermore, the rule accounts for potential false positives, especially with legitimate usages of .diagcab files. It is particularly relevant in contexts where the integrity of the system is at risk from misuse of diagnostic tools, which can be manipulated to run arbitrary code or exfiltrate information.