This analytic rule focuses on detecting the use of the 'sc.exe' command for creating or modifying Windows services within an environment, leveraging data from various Endpoint Detection and Response (EDR) systems. Manipulation of Windows services is often tied to malicious activity such as establishing persistence, privilege escalation, or executing arbitrary code. The rule analyzes process names and command-line arguments associated with 'sc.exe' and raises alerts when suspicious activities are detected. Key data sources include Sysmon EventID 1, Windows Event Log Security Event ID 4688, and CrowdStrike ProcessRollup2 data, ensuring a comprehensive view of potentially malicious actions taken on Windows services. Proper implementation requires ingestion of detailed process logs and command-line executions, necessitating the use of specific Splunk Technology Add-ons and adherence to the Splunk Common Information Model (CIM) for data normalization. Awareness of known false positives is vital as legitimate usage of 'sc.exe' may occur, warranting careful investigation of any triggered alerts.