This detection rule identifies the use of the 'getsystem' command from Meterpreter or Cobalt Strike by monitoring service installation events on Windows systems. The rule specifically captures Event ID 4697, which corresponds to the creation of a new service. It analyzes the command line used to install the service, looking for specific patterns indicative of privilege escalation attempts. These patterns include checks for the presence of commands like 'cmd' or 'rundll32' and specific filepath usages that suggest the service is being created in a non-standard manner, potentially pointing to malicious activity. False positives are considered unlikely due to the specificity of the command line checks. This rule is crucial for detecting lateral movement and privilege escalation tactics commonly employed by attackers using tools like Meterpreter and Cobalt Strike.