From 19380b704e95728dd3626f4dfdfe884ff880abb5 Mon Sep 17 00:00:00 2001
From: CosmoWorker <social.tarang@gmail.com>
Date: Mon, 23 Feb 2026 20:10:04 +0530
Subject: [PATCH] update create-service to detect sc.exe usage

---
 .../service/create/create-service.yml             | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/host-interaction/service/create/create-service.yml b/host-interaction/service/create/create-service.yml
index 1b01b784a..24f6b433b 100644
--- a/host-interaction/service/create/create-service.yml
+++ b/host-interaction/service/create/create-service.yml
@@ -13,7 +13,14 @@ rule:
     examples:
       - Practical Malware Analysis Lab 03-02.dll_:0x10004706
   features:
-    - and:
-      - api: advapi32.CreateService
-      - optional:
-        - api: advapi32.OpenSCManager
+    - or:
+      - and:
+        - api: advapi32.CreateService
+        - optional:
+          - api: advapi32.OpenSCManager
+      - and:
+        - or:
+          - substring: "sc.exe create"
+          - substring: "sc create"
+        - optional:
+          - substring: "binpath="