This detection rule identifies suspicious usage of the AppCert.exe component of the Windows Application Compatibility Toolkit, which is normally used for application compatibility testing. Threat actors may exploit this tool to install malicious MSI files using the command line argument '-setupcommandline', attempting to evade traditional detection methods. The rule collects endpoint data that indicates if AppCert.exe has been executed with specific parameters that signal an attempt to install MSI files. The detection logic utilizes a regex to filter out relevant command strings associated with the installation, providing insights into potential living-off-the-land attacks where legitimate binaries are misused for malicious purposes. The data is aggregated and presented to highlight potential security events that warrant further investigation, thus ensuring a proactive response to potential threats in enterprise environments.