Detects suspicious service installation scripts
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
Detects service installation in suspicious folder appdata
Detects service installation with suspicious folder patterns
Detects suspicious service installation commands
Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.