Used by Windows to manage services

Paths:

C:\Windows\System32\sc.exe
C:\Windows\SysWOW64\sc.exe

Detection: Services that gets created

Alternate data streams

Creates a new service and executes the file stored in the ADS.

sc create evilservice binPath="\"c:\\ADS\\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto\ & sc start evilservice