The rule detects the installation of potentially malicious services in Windows systems, specifically associated with the Sliver command and control (C2) framework. The detection focuses primarily on the Service Control Manager (SCM) events that signal the addition of new services, which may deploy Sliver implants. It monitors for specific Event ID 7045, indicating a service was successfully installed. Additionally, the rule looks for services that have executable paths matching the pattern of temporary executables typically used by Sliver implants, located in the Windows temp directory. The rule triggers if either the service name contains 'Sliver' or 'Sliver implant', further refining the detection of malicious activity. This rule is critical for identifying potential unauthorized escalation of privileges and the execution of potentially harmful commands via services established by adversaries using Sliver.