This detection rule identifies the installation of suspicious services, specifically the 'NalDrv' and 'PROCEXP152' services, which are indicators of potential malicious activity related to the tool 'Ghost-In-The-Logs'. The detection is implemented through monitoring the Windows registry for alterations in service paths that, while typically located in system folders, are found in non-system32 directories. The rule specifically looks for certain registry keys associated with these services, while filtering out legitimate usage stemming from recognized process executable paths. Since attackers may rename services to evade detection, this rule has a medium-level confidence in its findings and should be complemented by additional monitoring strategies to mitigate false positives arising from legitimate tools or renamed services.