This detection rule identifies potential Meterpreter or Cobalt Strike activity specifically related to the 'getsystem' command, which is commonly used for privilege escalation within Windows environments. The rule focuses on detecting the initiation of a service by monitoring process creation events. It specifies that the event must originate from the 'services.exe' parent process, indicating it may have elevated privileges. The detection logic involves multiple selection criteria that check the command line arguments for specific patterns indicating invocation of the 'getsystem' command through common methods, such as the invocation of 'cmd' or 'rundll32'. To increase accuracy, the rule filters out known benign command-line executions that do not indicate malicious behavior, thus aiming to reduce false positives. This approach allows security monitoring systems to flag potential exploitation attempts while minimizing the reporting of benign activity.