This detection rule identifies potential obfuscation tactics employed by threat actors utilizing the MSHTA application on Windows systems, particularly focusing on the Service Control Manager logs. The specific detection is triggered by monitoring Event ID 7045, which indicates when a service is installed. The rule looks for `mshta` (Microsoft HTML Application Host) executing in a suspicious context—particularly when combined with `vbscript:createobject`, suggesting scripts that may attempt to execute malicious payloads obscured from typical scrutiny. Key indicators include the event provider being the Service Control Manager and the presence of these keywords in the ImagePath, which can indicate an obfuscated Powershell execution. This rule falls under high severity due to its potential use in evading security measures and executing payloads that could compromise system integrity. Prompt investigation is recommended upon triggering to determine legitimacy and address any risks effectively.