This detection rule focuses on identifying unauthorized calls to the `DllUnregisterServer` function made through the Microsoft Installer executable (`msiexec.exe`). The function `DllUnregisterServer` is typically used to remove entries from the Windows Registry that are associated with a DLL when it is no longer needed. Malicious actors may utilize this function to unregister legitimately installed DLLs in order to remove their tracking from the system or to disable security measures. The rule specifies the creation of a process with `msiexec.exe` that includes certain command line parameters. It checks for specific characteristics in the process creation event to ensure it aligns with the expected patterns of suspicious behavior, such as the presence of the `-z` flag and a `.dll` reference in the command line arguments. When these conditions are met, the rule triggers a high-priority alert, allowing security teams to further investigate potential defense evasion activities. Overall, this rule is crucial for monitoring and responding to potentially malicious alterations to system files executed via process creation events. It utilizes the Windows platform’s logging capabilities to detect anomalies effectively.