This rule detects the uninstallation of applications via the msiexec utility on Windows systems. It specifically looks for command-line arguments that are often used for application uninstallation, including silent installs and reboots. The detection is grounded in process execution logs collected by Endpoint Detection and Response (EDR) agents such as Sysmon and Windows Event logs. The use of msiexec for uninstalling software is relatively rare in managed enterprise environments, which typically utilize software management tools for such tasks. As a result, its use may indicate potential malicious activity, such as an attempt to disable or uninstall security software to facilitate further compromise within the network. By identifying instances of this behavior, organizations can investigate and respond to potential threats effectively.