This detection rule identifies the installation of various remote access tools (RATs) on Windows systems by monitoring the Service Control Manager for specific event IDs associated with service creation. RATs are often exploited by threat actors to gain unauthorized access to systems, perform surveillance, and control targets remotely. The rule watches for system events with Event IDs 7045 and 7036, specifically looking for the names of known remote access tools, such as TeamViewer, LogMeIn, and GoToAssist, among others. By detecting these installations, security teams can respond proactively to potential threats that may compromise system integrity and confidentiality. Given the rule's emphasis on specific service names, it can be essential for incident response teams to assess installed software for potential security implications and take appropriate action when suspicious installations are detected.