This detection rule identifies the execution of obfuscated PowerShell commands that utilize 'rundll32' to bypass security measures on Windows systems. It targets specific Event IDs related to the Service Control Manager, particularly EventID 7045, which logs the installation of new services. The presence of certain keywords in the 'ImagePath' field (such as 'rundll32', 'shell32.dll', 'shellexec_rundll', and several others) raises a flag, indicating a potential evasion tactic used by malicious actors to execute PowerShell commands indirectly. This behavior is common in scenarios where attackers try to hide their activities by using system tools to launch potentially harmful scripts without drawing attention. Monitoring the identified patterns can assist security teams in detecting and mitigating advanced techniques often associated with sophisticated threats.