This analytic rule is designed to detect the malicious creation of Windows services that are typically associated with the Clop ransomware. It leverages Windows Event Logs, specifically monitoring for Event Code 7045, which logs the installation of new services. The rule looks for specific service names, namely 'SecurityCenterIBM' and 'WinCheckDRVs', which are known to be used by Clop ransomware to achieve persistence on compromised systems and execute high-privilege code. The appearance of these service names is indicative of a potential ransomware attack, as attackers often create such services to maintain control over infected machines. Failure to detect this activity could allow the ransomware to encrypt critical data, thus underscoring the importance of this detection mechanism. The implementation requires proper log ingestion from endpoints to ensure accurate data collection and real-time monitoring.