This rule is designed to detect the usage of the PowerShell Get-Service cmdlet or its alias gsv, which adversaries may use to enumerate local system services. Such discovery is often a precursor to further malicious activity as it provides insight into the services running on a target machine. The detection mechanism relies on EDR logs to capture process creation events that occur when the cmdlet is executed. The logic employs a regex pattern to match any invocation of 'Get-Service' or 'gsv', ensuring comprehensive coverage of potential variations in command execution. To enhance detection efficacy, it is recommended to enable PowerShell logging, which facilitates a clearer view of command invocations and aids in better threat monitoring. This rule is particularly reliant on capturing processes created via PowerShell, such as through the command line option 'powershell -command'. If adversaries manage to hide their activity or execute commands in ways that do not generate new process events, detection may be hindered.