This detection rule identifies the installation of the PDQDeploy service on Windows machines by monitoring the relevant events from the Service Control Manager. Specifically, it looks for Event ID 7045, which indicates that a new service was installed. The presence of the PDQDeploy service is significant because PDQDeploy allows remote package installation and command execution on target machines. This function can be leveraged by malicious actors to escalate privileges or to perform unauthorized operations, thereby presenting a risk to system integrity and security. The detection rule captures specific indicators such as the service's executable path ('PDQDeployService.exe') and the service names associated with it. It is vital to distinguish between legitimate uses of PDQDeploy and potential misuse, hence the rule includes a note on false positives. Administrators are encouraged to review service installations tagged by this rule to ensure any detected instances are necessary and intended.