When sc.exe is used in a malicious scenario, it is commonly stopping (sc.exe stop [service_name]) or starting (sc.exe start [service_name]) services. Some legitimate administration or installation scripts require "sc start/stop" to modify a service's run status. In these cases, it is fairly simple to baseline normal and hopefully legitimate sc.exe start/stop usage. It should be rare to see sc.exe stopping or starting services in a manual fashion, which is usually evident by the fact that the specific sc.exe command line does not exist elsewhere in that environment or that the timestamps of activities before the suspicious sc.exe are seconds apart versus milliseconds apart (the former indicating manual human interaction; the latter indicating scripted/automatic activity).