The detection rule titled "Windows Service Created" focuses on identifying potential malicious activity associated with the creation of new Windows services through the use of the 'sc.exe' command-line utility. Adversaries often exploit this capability to execute malicious code by establishing unwanted services on compromised systems. The rule leverages Windows Event Code 4688, which logs process creation activity, to monitor for instances where 'sc.exe' is used in conjunction with the 'create' command, indicating that a new service is being installed. The use of regex is employed to capture specific command patterns, ensuring accurate detection. This technique serves as an indicator of various threat actor groups, including renowned adversaries such as APT29 (Nobelium), FIN6, and Lazarus. The detection logic utilizes Splunk to analyze event data and correlate service creation activities with potential threat signatures.