This detection rule aims to monitor for potentially malicious persistence mechanisms created via the Windows Installer (msiexec.exe). By identifying when msiexec.exe creates scheduled tasks or modifications to startup entries in registry paths, the rule seeks to flag activities consistent with adversarial attempts to maintain access to a compromised system. The rule relies on two primary data sources: file event logs and registry event logs to capture signs of such persistence actions. False positives may occur during legitimate software installs, where msiexec.exe is used to create system tasks or startup items. Triage and investigations are expected upon alerts, focusing on identifying the integrity and context of the created files or registry entries while considering operational changes in the environment that may lead to exclusions in the detection logic.