This rule detects abuse of the Windows Installer rollback feature to escalate privileges from a standard user to SYSTEM by crafting malicious rollback scripts that instruct the SYSTEM-level Windows Installer service to delete attacker-specified files or directories via FolderContentsDeleteToFolderDelete. Windows Installer creates rollback scripts during installation to undo changes if an installation fails, and the rollback mechanism runs under SYSTEM. An attacker can leverage this trusted path to perform filesystem modifications without triggering a UAC prompt. Detection relies on endpoint telemetry showing MSI-related process activity and rollback-script handling, including msiexec.exe invocations, rollback-script artifacts, and related installer/process activity. Data sources for the rule include Sysmon Event ID 1, Windows Security event 4688 (process creation), and CrowdStrike ProcessRollup2 to capture relevant process and command-line activity. Implementations should consider legitimate MSI installations and whitelist approved tools to reduce false positives. References include CVE-2024-44193.