This detection rule identifies the use of the Windows command-line utility `sc.exe`, specifically when it is used to alter the startup type of a service to 'disabled' or 'demand'. Such changes can indicate potential malicious activity, as attackers may attempt to disable services to hinder detection or system functionality. The rule operates by monitoring process creation events for signs of `sc.exe` execution with specific command-line arguments. It focuses on command lines that include 'config' and 'start' followed by 'disabled' or 'demand', ensuring that it only triggers under these circumstances. The level of confidence in this detection is categorized as 'medium', with awareness of potential false positives that may arise from legitimate administrative activities or troubleshooting scripts. The appropriate response to this detection would involve further investigation into the context and reasoning behind the service startup type change.