This rule detects reconnaissance activities performed by adversaries using the Windows Management Instrumentation Command-line (WMIC) tool to query remote services. Adversaries may leverage WMIC to check for the existence of particular services on remote systems, utilizing commands that include the keyword 'service'. Detection is triggered by command-line executions of WMIC that specifically include 'service', which could indicate an attempt to enumerate services on the target machine. The rule monitors process creation for WMIC execution with the relevant command line input and captures the activity to ensure that potential adversarial behavior is identified promptly. False positives may arise due to legitimate administrative queries or automated system checks that utilize WMIC for service status verification.