The detection rule identifies potential reconnaissance activities that use the Windows Management Instrumentation Command-line (WMIC) for accessing unquoted service paths. Unquoted service paths are potential vulnerabilities that can be exploited by attackers to escalate privileges or execute unauthorized commands on Windows systems. This rule monitors process creation events specifically looking for the invocation of 'wmic.exe' with command line arguments that query service details, such as the name, display name, pathname, and start mode. It considers any command line execution that includes 'service get' alongside these attributes as a potential sign of malicious reconnaissance behavior typical of penetration testers and attackers during their enumeration phase. The monitoring of such commands is crucial because attackers may exploit unquoted paths to execute code with higher privileges, leading to system compromise. The inclusion of specified filenames and command line patterns helps in accurately targeting suspicious WMIC usage.