This detection rule identifies obfuscated usages of standard input (stdin) to execute PowerShell commands on Windows systems. By monitoring the Windows Service Control Manager for the Event ID 7045, which logs service installation, the rule targets commands that leverage both 'cmd' and 'powershell' with specific flags that indicate potentially malicious behavior. The rule specifies conditions for the execution, including checks for command-line arguments that would suggest an attempt to obfuscate the actual payload being executed. This makes use of PowerShell's capability to execute commands passed through stdin, often employed by attackers to bypass detection mechanisms. Additional criteria check for the presence of keywords and parameters that are commonly associated with obfuscation techniques, enhancing the precision of the detection while minimizing false positives. The rule serves as a high-level alert, making it particularly relevant for environments looking to mitigate risks associated with obfuscated scripting and command execution, which can lead to unauthorized access or exploitation.