SCCM

Identifies the creation of a Windows service by an unusual client process, which can be leveraged to escalate privileges from administrator to SYSTEM by exploiting misconfigurations or vulnerabilities in the service creation process.

Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.

Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.