This threat detection rule is designed to identify and alert on obfuscated PowerShell commands that use standard input (stdin) via the 'ServiceFileName' field. The rule focuses on Windows Event ID 4697, which corresponds to the creation of a new service. Specifically, it looks for services that contain certain keywords associated with obfuscation techniques, such as 'cmd' or 'powershell', as well as indicators of service file execution that may suggest malicious intent. The rule checks for multiple conditions where the service being executed holds substrings like '${input}', 'noexit', or contains common obfuscation command-line arguments such as ' /c ' or ' /r '. If all these selections match, a high-level alert will be triggered. By enabling logging for the System Security Extension, organizations can detect potential misuse of PowerShell and proactively respond to activities that may circumvent security measures. Ultimately, this rule can help in identifying exploitation attempts that leverage obfuscation to evade detection. It is crucial to consider possible false positives, with the current status being unknown.