diff --git a/host-interaction/service/create/create-service.yml b/host-interaction/service/create/create-service.yml
index 1b01b784a..24f6b433b 100644
--- a/host-interaction/service/create/create-service.yml
+++ b/host-interaction/service/create/create-service.yml
@@ -13,7 +13,14 @@ rule:
     examples:
       - Practical Malware Analysis Lab 03-02.dll_:0x10004706
   features:
-    - and:
-      - api: advapi32.CreateService
-      - optional:
-        - api: advapi32.OpenSCManager
+    - or:
+      - and:
+        - api: advapi32.CreateService
+        - optional:
+          - api: advapi32.OpenSCManager
+      - and:
+        - or:
+          - substring: "sc.exe create"
+          - substring: "sc create"
+        - optional:
+          - substring: "binpath="