update create-service to detect sc.exe usage

CosmoWorker · CosmoWorker · commit 19380b704e95 · 2026-02-23T22:50:55.000+05:30
diff --git a/host-interaction/service/create/create-service.yml b/host-interaction/service/create/create-service.yml
@@ -13,7 +13,14 @@ rule:
     examples:
       - Practical Malware Analysis Lab 03-02.dll_:0x10004706
   features:
-    - and:
-      - api: advapi32.CreateService
-      - optional:
-        - api: advapi32.OpenSCManager
+    - or:
+      - and:
+        - api: advapi32.CreateService
+        - optional:
+          - api: advapi32.OpenSCManager
+      - and:
+        - or:
+          - substring: "sc.exe create"
+          - substring: "sc create"
+        - optional:
+          - substring: "binpath="
