This detection rule identifies the use of the `getsystem` command associated with Meterpreter or Cobalt Strike within a Windows environment. The rule monitors for specific service installations tracked by the Service Control Manager (SCM) that typically accompany privilege escalation attempts. It focuses on Event ID 7045, which logs new service installations. Furthermore, it checks command lines and image paths for typical indicators of malicious behavior, including the use of certain command line patterns that could indicate an attempt to install an unauthorized service using `cmd`, `rundll32`, or accessing administrative shares. The rule mitigates false positives effectively and aims for high precision in threat detection, making it essential for security teams monitoring for privilege escalation threats.