This detection rule identifies the installation of services on Windows systems, which is a common technique employed by adversaries to execute malicious payloads or commands. The rule focuses on specific event codes that indicate a service has been installed: Event Code 4697, applicable for Windows Server 2016 or Windows 10, and Event Code 7045, relevant for older versions, including Windows Server 2008 R2, Windows 7, and Windows 2012 R2. By monitoring these events, security teams can recognize unauthorized service installations that may act as a foothold for further exploitation or persistence. Adversaries such as Akira, APT29, and other threat groups have been linked to this tactic, often utilizing tools like wce.exe or psexec.exe to deploy services. The rule employs Splunk as the primary analysis tool, aggregating data from Windows event logs and applying statistical checks to filter out benign activities to focus on potentially malicious service installations. The threshold for alerts is set to flag when fewer than six unique service names appear, indicating suspicious activity.