This detection rule focuses on identifying malicious service installations that are commonly associated with Cobalt Strike beacons, tools often used for privilege escalation and lateral movement within a network. It leverages Windows Event ID 7045, which is generated when a new service is installed. The rule looks for service entries whose ImagePath contains suspicious indicators that suggest the execution of malicious scripts or binaries. Specifically, it flags potential threats when the installation path includes segments like 'ADMIN$' or '.exe', and it also monitors for the use of PowerShell commands that are typically obfuscated or executed in a hidden window. This helps in detecting attempts to install persistent services that could be exploited to establish a foothold within a compromised environment. Effective detection requires correlating these service installations with the specific characteristics detailed within the rule, providing vital insights into ongoing attacks that utilize Cobalt Strike.