This detection rule identifies when PowerShell scripts are installed as services on Windows systems. By monitoring events generated by the Service Control Manager, particularly Event ID 7045, the rule looks for instances where the image path of newly created services contains references to 'powershell' or 'pwsh'. Such behavior can indicate malicious activity, as attackers often use PowerShell to execute commands or scripts surreptitiously as background services, which can provide persistence on the system. This technique is notable in various attack patterns and highlights the importance of scrutinizing service installations. Additionally, the rule aims to help in the detection of potential abuse of administrative capabilities, ensuring better security postures.