This detection rule is focused on identifying vulnerabilities related to service registry permissions in Windows operating systems. It targets potential exploitation scenarios where adversaries may manipulate the Windows Registry to redirect service execution. The rule checks for the invocation of PowerShell commands that access registry permissions specifically in the service registry path under HKLM\SYSTEM\CurrentControlSet\Services. Such actions may indicate attempts to strengthen unauthorized control over services by exploiting flawed permissions. A key element of the detection strategy is the requirement for Script Block Logging to be enabled to capture the relevant PowerShell activities. This rule provides a means of detecting potentially malicious behavior that seeks to hijack service execution at startup, often used in persistence techniques and gaining unauthorized elevations of privilege. False positives may arise from legitimate administrative activities that involve reviewing or modifying service permissions.