This rule is designed to detect when PowerShell scripts are installed as Windows services. The rule utilizes Windows Event ID 4697 to identify instances where services have been created and examines the service file names for any that contain 'powershell' or 'pwsh'. This is a common tactic used by threat actors to maintain persistence and execute malicious scripts under the service control manager, effectively disguising them as legitimate system processes. For effective detection, it is crucial to have the System Security Extension audit subcategory enabled in the Windows security logs. The rule returned high severity due to the potential for significant impact, as services running PowerShell could easily conduct further malicious activities. False positives may arise due to legitimate applications that require PowerShell scripts to operate. Organizations should investigate these events to validate their legitimacy and take necessary actions to remediate any detected threats.