This rule identifies instances of remotely started Windows services over Remote Procedure Call (RPC), which may signify lateral movement within a network. The detection logic correlates service execution via 'services.exe' with a network connection, allowing the observation of service management requests that could indicate unauthorized access. It employs EQL to parse logs for service-related events and possible malicious activity, focusing on inbound network traffic directed to Windows hosts and any associated process instantiation through 'services.exe'. The rule includes detailed triage and analysis steps for investigation, helping analysts trace the actions back to potentially compromised accounts or processes. False positives may arise from legitimate remote management tools, so analysts should consider contextual factors before raising alerts.