This detection rule monitors for changes to Windows service startup types made via PowerShell's Set-Service cmdlet. Such actions can potentially indicate an attempt to disable services as part of a defense evasion tactic. Specifically, the rule triggers when a user executes the Set-Service command with parameters to change a service's startup type to either 'Disabled' or 'Manual'. This is crucial for understanding unauthorized modifications that may indicate malicious activity. The rule inspects process creation events, looking specifically for instances of PowerShell executing commands indicative of such service manipulation. The detection logic includes verifying the process image, command line parameters, and ensuring that all specified criteria are met before triggering an alert.