This detection rule focuses on identifying potential persistence attempts through the modification of existing services in a Windows environment. Attackers can achieve persistence by manipulating service configurations, allowing them to execute malicious payloads whenever the service is started or if it gets killed. This behavior is typically observed in processes where commands such as `sc config <service>` or `reg add <key>` are used to change the service's binary path or failure actions. The detection logic consists of multiple selection criteria that monitor command line invocations that match these patterns. The rule is designed to trigger alerts if it detects either the use of the `sc` command to modify service configurations or the addition of specific registry keys that could indicate malicious intent. Furthermore, the rule includes conditions to catch any command-line arguments that refer to executable files or scripts that are commonly used in malicious activities. As a result, this rule is critical for identifying attempts to establish or maintain persistence on compromised systems.