This detection rule identifies a potentially malicious activity involving the excessive usage of the `sc.exe` command within a short timeframe to disable critical services on Windows endpoints. By monitoring the command line arguments provided to `sc.exe`, particularly those that contain `start= disabled`, we can flag unusual behavior that deviates from normal operational patterns. The rule employs Endpoint Detection and Response (EDR) data, focusing on event logs related to process executions to detect instances where `sc.exe` is executed eight or more times in a 30-minute window. Such behavior might indicate an attempt by an attacker to disrupt service or alter system configurations and, if malicious, could lead to severe disruptions in security posture. The detection relies on various data sources, including Sysmon logs and Windows Event Logs. False positives may arise from legitimate administrative actions, but these are considered uncommon based on observed telemetry from standard Windows operations.