This detection rule is designed to identify obfuscated PowerShell scripts that utilize the 'rundll32' executable, a common technique in the execution of malicious payloads. The rule triggers on specific Windows Security Event ID 4697 logs that indicate a service has been created or modified, with the detection relying on the characteristics of the 'ServiceFileName' field. Events where the 'ServiceFileName' contains terms like 'invoke', 'comspec', 'iex', and patterns associated with 'rundll32' and 'shell32.dll' are flagged. The detection aims to uncover potential misuse of system resources, primarily associated with defense evasion tactics commonly employed by threat actors. Awareness of falsely positive instances driven by benign configurations is set at a high level due to the nature of the detection strategy relying on naming conventions that might apply in legitimate contexts.