In your custom signature Subrule, try:
Rule type: Files
Operations: ALL (specifically create).
Parameters: Include Files sc.exe (or *\sc.exe)
I have tried what you have suggested, but it still didn't work. Also, we have found that when we run sc.exe to test the signature, we get an event consistently that reports a *different* event. The event we get states that a 'tool that enables the remote creation of services has run. Weird.