This detection rule identifies the Moriya rootkit by monitoring specific event logs from the Windows System service. The Moriya rootkit is known for its stealthy persistence mechanisms and ability to escalate privileges within the system, aligning with the tactics described in the Securelist's report on Operation TunnelSnake. The rule triggers when a new service named 'ZzNetSvc' is registered via the Service Control Manager with Event ID 7045, which typically indicates the creation of a service. This behavior is characteristic of rootkit installations, which manipulate system services to maintain persistent access. The rule is integral for threat detection as it focuses on abnormal service registration actions that could signal the presence of this malicious rootkit.