This detection rule identifies the creation of Windows Services that are installed with binary paths located in uncommon directories, which is often a tactic used by malicious actors. The rule utilizes Windows Event ID 7045 to monitor the logs in the `wineventlog_system`, specifically looking for services being created outside of the standard directories like \Windows\, \Program Files\, and \ProgramData\. This is crucial because adversaries, particularly those deploying Clop ransomware, often create these types of services to move laterally within networks, achieve persistence, and execute arbitrary code. If such service creations are confirmed to be malicious, they can lead to significant compromises, including unauthorized privilege escalation and sustained access to the environment. The implementation of this rule involves configuring the ingestion of relevant service logs, as well as being aware of potential false positives from legitimate applications that may similarly install services in uncommon paths.