This analytic detection rule identifies unusual and excessive executions of the `sc.exe` service utility on Windows machines, utilizing Sysmon EventCode 1 logs. By monitoring the frequency of `sc.exe` executions within a 15-minute timeframe, the rule aims to flag potential security threats such as ransomware and cryptocurrency miners that may be attempting to create, modify, or disable critical services. High frequencies of this process execution could indicate malicious activity aimed at escalating privileges or bypassing security mechanisms, leading to potential system compromises. The detection logic calculates the average number of executions along with standard deviations to establish thresholds, flagging instances that exceed these thresholds as potential outliers that warrant further investigation.