This rule detects the installation of a Windows service named "BluetoothService" whose binary.ImagePath resides in user-writable directories, such as AppData, Temp, or other user profiles. It targets events where a new service is created (Windows Event Log 7045) with service names like "BluetoothService" or "Bluetooth Service" and ImagePath patterns that point into non-system directories (e.g., %AppData%, %Temp%, ProgramData, or users\<user>\Bluetooth\*). Attackers have used this technique for persistence, most notably in the Lotus Blossom Chrysalis campaign, where a malicious binary (renamed Bitdefender Submission Wizard) was registered as BluetoothService from a hidden AppData directory. Legitimate Bluetooth services on Windows typically reside in System32; a BluetoothService created with a binary path in user-writable locations is highly suspicious and merits investigation for potential malware persistence. The rule relies on Windows Event ID 7045 to capture service installation details (ServiceName, ImagePath, StartType, etc.) and filters for known adversarial patterns. This aligns with MITRE techniques T1543.003 (Create or Modify System Process: Windows Service) and T1036 (Masquerading). Implementation focuses on endpoint visibility into service creation events and suspicious binary paths, enabling rapid detection and response to persistence mechanisms.