The PSexec Service Creation rule is designed to detect the illicit creation of services via PSexec, a tool often utilized by threat actors for remote command execution. This detection focuses particularly on identifying events associated with the creation of new services using the Windows Event ID 7045, which logs service installations. The rule filters service creation events to block those that are common indicators of compromise associated with malicious activity, specifically filtering out disabled services and anomalous service names that may indicate PSexec usage. The logic employed in this rule utilizes Splunk commands to parse events, applying regex to filter relevant service names and file paths indicative of PSexec deployments. The threat actors typically associated with such techniques are APT29, APT31, and various ransomware groups such as Conti and LockBit.