This rule detects adversarial or administrative attempts to alter Windows service startup types via the WMIC command-line utility. Specifically, it looks for a WMIC process (wmic.exe) being launched (via Image/or OriginalFileName matching WMIC) whose command line includes a ChangeStartMode operation targeting a service, with startup state indicators of Manual or Disabled. The intent is to identify defense-evading behavior where an attacker disables a service or sets it to start manually to avoid automatic startup, persistence, or cleanup. The detection ties to Windows process_creation telemetry and flags when WMIC is used to modify service startup configuration, a known technique in attack.t1047 and defense-evasion workflows. Legitimate administrative changes to service startup types using WMIC can generate false positives and should be investigated in context with change management and user/account activity. Recommended responses include validating admin activity, correlating with ticketing data, and enforcing least-privilege and WMIC usage controls or auditing for service configuration changes.