This detection rule is aimed at identifying obfuscated PowerShell scripts that utilize the COMPRESS OBFUSCATION technique on Windows systems. The detection focuses on monitoring events associated with Windows Event ID 4697, which logs new service installations. Specifically, the rule looks for certain key elements in the service file names that indicate potential malicious activity: the presence of classes and methods related to PowerShell object creation and string reading/compression. The key components employed in the detection include the usage of 'new-object', 'text.encoding::ascii', and 'readtoend' within the service file name, along with elements indicating external data compression libraries. Given the nature of obfuscation tactics in evading detection, these parameters are crucial for parsing potential threats efficiently.