This detection rule identifies potentially malicious actions related to the invocation of obfuscated PowerShell scripts through the usage of the Microsoft HTML Application Host (MSHTA) utility. Specifically, it focuses on EventID 4697, which logs when a new service is created. The rule checks for specific keywords associated with script execution and obfuscation techniques, including 'mshta', 'vbscript:createobject', '.run', and 'window.close'. When these keywords are found in the service file name in conjunction with EventID 4697, it raises an alert due to the high likelihood of a security threat. Notable references include discussions on detection strategies within the Sigma project, highlighting the growing concern of obfuscation techniques used to bypass traditional security measures.