This detection rule identifies the execution of an MSI (Microsoft Installer) file via PowerShell using the Windows Management Instrumentation (WMI) class Win32_Product. Typically, this is done through the Invoke-CimMethod cmdlet, which invokes WMI methods for managing Windows features. The detection is triggered when a PowerShell script contains the specific phrases: 'Invoke-CimMethod', '-ClassName', 'Win32_Product', and the '.msi' file extension. This behavior is associated with defense evasion tactics, as attackers may exploit legitimate tools like PowerShell for malicious purposes, particularly for software installation or modification without getting detected. It is essential that Script Block Logging is enabled on systems to ensure that the behavior can be logged and detected. The rule's detection condition is configured to capture any instance of the mentioned phrases within a single script block aimed at executing MSI files.