This detection rule identifies the creation of a Windows service on remote endpoints using the `sc.exe` command. It leverages process execution logs collected from Endpoint Detection and Response (EDR) systems, specifically looking for command-line arguments that reference remote paths and service creation commands. The significance of this behavior lies in the fact that attackers often utilize the Service Control Manager to facilitate lateral movement and remote code execution within a network. If this activity is confirmed to be malicious, it could enable attackers to run arbitrary code on affected systems, potentially resulting in further compromise and continuity of presence on the network. To deploy this detection, it is important to ingest logs that include process information and command-line details from EDR agents, ensuring they are properly mapped to the Endpoint data model to allow effective querying and analysis.