This detection rule monitors the Windows Registry for the creation of services with their binaries located in directories that are often associated with malicious activity. Specifically, it identifies entries in the `HKLM\System\CurrentControlSet\Services\` path by examining both the `Start` and `ImagePath` values of service configurations. The detection logic triggers when a service's start configuration is set to a suspicious folder such as `\Users\Public\`, `\Perflogs\`, `\ADMIN$\`, or `\Temp\`, or when the service's image path contains similar locations. To reduce false positives, the rule narrows down potential threats by ensuring that the binary is not located in more benign directories like `\Common Files\`. This rule is essential for detecting potentially malicious service installations that attempt to evade detection by hiding in commonly used folders. The rule was authored by Florian Roth from Nextron Systems and is currently in a testing phase, having been modified most recently in August 2023.