This rule is designed to detect when a new Windows service is created using the `sc.exe` (Service Control) utility, which is often used for service management in Windows environments. The detection logic focuses on monitoring process creation events where the command line includes the keywords 'create' and 'binPath' and where the executing image is `sc.exe`. Because `sc.exe` is a legitimate utility for managing services, it is important to also consider the context of its usage. The rule flags this activity due to its relevance in persistence mechanisms that attackers often exploit to maintain access to compromised systems. Notably, while this detection can catch malicious service creations, legitimate uses (e.g., software installations or administrative activities) may also trigger alerts, which necessitates a review of flagged incidents. The authors of the rule are Timur Zinniatullin and Daniil Yugoslavskiy from the oscd.community, and their work helps to fortify defenses against potential privilege escalation attacks that utilize service creations as a tactic.