This detection rule identifies the deletion of Windows services using the `sc.exe` command, a common tactic by adversaries to disable critical system functions or security mechanisms. By monitoring EDR data, specifically process execution logs capturing command-line arguments, the analytic seeks to expose potential malicious activity that could lead to privilege escalation or persistent access by attackers. The rule operates by scrutinizing Sysmon and Windows Event logs to seek instances where services are being deleted and flags them for further investigation, thus enhancing endpoint security measures against insider threats and external attackers.