This analytic detection rule targets the creation of Windows services that have suspicious or known malicious names. It uses Windows Event ID 7045 and processes logs from the `wineventlog_system` to monitor service installations, a common tactic used by threat actors, notably associated with ransomware groups such as Clop. The detection captures critical parameters like Computer name, Service Name, User ID, etc., which facilitate tracking potentially harmful activities. By utilizing a lookup table containing suspicious service names, the rule effectively flags service creations that warrant further investigation, as they can imply backdoor access, privilege escalation, or other malicious intents. Implementers are advised to ensure proper log ingestion of relevant data points like Service Name and Start Type for comprehensive detection. Items marked as legitimate might lead to false positives; therefore, their identification is crucial to avoid unnecessary alarm.