This rule is designed to detect the installation of the PDQDeploy service on Windows systems. When a package is deployed using PDQDeploy, it installs a corresponding remote service known as 'PDQDeployRunner-X', where 'X' is a sequential integer starting from 1. This detection works by monitoring the Windows Event Log entries generated by the Service Control Manager for events indicative of a new service installation. Specifically, it looks for Event ID 7045, which indicates a service has been installed. The rule further narrows down the detection by checking for service names and image paths that contain 'PDQDeployRunner-', ensuring that only the relevant installations are flagged. While this rule has a medium severity level, it is considered important for detecting potential unauthorized privilege escalation attempts through the use of PDQDeploy. However, legitimate uses of the tool may yield false positives, so those should be considered during analysis.