This detection rule identifies potential unauthorized remote service access through the services control named pipe (`svcctl`) in Windows systems. It specifically targets and alerts on Event ID 5145, which is triggered when a remote connection attempts to access the `svcctl` named pipe with a 'WriteData' access type. Given that remote service activities can often be indicative of lateral movement or persistence strategies by attackers, monitoring this activity is crucial to maintaining Windows security. The rule requires the advanced audit policy to be enabled for file shares, ensuring accurate logging of such access attempts. Notably, the rule is characterized as having a medium level of alert severity, indicating a significant potential risk that necessitates further investigation but may not always indicate an immediate threat.