This detection rule identifies the creation of services in Windows systems that potentially indicates malicious activity. Specifically, it focuses on Event ID 7045, which is triggered whenever a new service is installed. The rule particularly targets instances where the service creation command contains executable elements like PowerShell ("powershell.exe" or "pwsh.exe") and Command Prompt ("cmd.exe"). These can often signify attempts to execute scripts or commands that are inappropriate or unintended in a service context. The query uses multiple functions to extract the relevant data from endpoint logs, filtering for the specified event codes and commands. The results are then organized by key attributes such as time, host, user, etc. Monitoring for such patterns can assist cybersecurity professionals in detecting and responding to potential threats effectively.