This detection rule is designed to identify the installation of various remote access tools (RATs) on Windows systems, which are frequently exploited by threat actors for unauthorized access. The rule relies on monitoring Windows Event ID 4697, which logs events related to the creation of a service. Specific service names associated with popular remote access software are included in the detection logic. The presence of these services can indicate potential unauthorized access, as they are often used by attackers to maintain persistence on compromised systems. The rule aims to enhance security monitoring by flagging installations of tools commonly leveraged for malicious purposes, allowing organizations to respond appropriately if such activities are detected. Given that some legitimate administrative tools may also match the criteria, the rule's design acknowledges the likelihood of false positives, advising users to disable the detection for known legitimate services.