This detection rule identifies the installation of services that may be associated with lateral movement tactics, particularly leveraging Metasploit's SMB PsExec module or Impacket's psexec.py script. It triggers on Windows event ID 4697, which denotes the creation of a service. The rule is designed to catch legitimate suspicious activity by checking for services that follow specific naming conventions and configurations indicative of these tools. The rule requires the System Security Extension audit subcategory to log relevant events, thus ensuring the necessary data is collected. For detection, it looks for service names that are either four, eight, or sixteen characters long, alongside matching the service filename format against expected patterns. If a service named 'PSEXESVC' is detected, it is filtered out to reduce false positives where legitimate software may be utilized.