This detection rule identifies the execution of Sysinternals PsService, a tool used for managing Windows services. PsService can be leveraged by attackers for service reconnaissance - gathering information about running services - and for tampering with services, which can aid in maintaining persistence within a target system. The rule is specifically tuned to detect when the PsService executable is dynamically called on a Windows system. The detection focuses on two conditions: the presence of the executable named 'psservice.exe' and the image path indicating the execution of either 'PsService.exe' or 'PsService64.exe'. By flagging these executions, the rule aims to capture potentially malicious uses that fall under attack categories related to discovery and persistence, as denoted by its associated ATT&CK tags. Administrators may execute PsService legitimately; hence, the rule should consider the context of its usage to minimize false positives.