This detection rule is designed to identify the unauthorized installation of Remote Access Tools (RATs), specifically SimpleHelp and JWrapper Remote Access, on Windows systems. Threat actors often leverage these tools as services to maintain persistent access to compromised environments, disguising them as legitimate IT support solutions. The rule detects Windows Security Event IDs 4697 and 7045, which are triggered when a new service is created or modified. These events are correlated with specific binary paths associated with known malicious software. The detection identifies patterns that match the installation of SimpleHelp or similar RATs, focusing on executable files that are typically housed in the Program Files or ProgramData directories. This proactive detection method helps in identifying potential unauthorized remote access setups, enhancing security monitoring capabilities in organizations.