The rule "Windows Net System Service Discovery" is designed to detect the use of the `net start` command in a Windows environment, which is commonly used to list running services on a system. While it is employed by legitimate actors like system administrators for service management, attackers may also use it for reconnaissance to understand the operating system's configurations and identify active security measures. This analytic identifies potential misuse of the command by monitoring process executions of `cmd.exe` that initiate `net start`. By correlating this behavior with the execution of other reconnaissance commands like `tasklist` and `sc query`, the rule enhances detection capabilities. Notably, while the command itself is not malicious, its utilization in contexts outside of regular administrative tasks warrants investigation. The detection is backed by data sourced from Sysmon EventID 1 and Windows Event Log Security 4688, ensuring a well-rounded visibility into endpoint activity.