This detection rule aims to identify when access control lists (ACLs) are manipulated on Active Directory (AD) Organizational Units (OUs) to hide their contents from users, including domain administrators. The rule specifically looks for event code 5136 from the Windows Security event log, which captures changes to the properties of directory objects like OUs. When an ACL denies rights such as 'List contents' or 'List objects,' combined with modifying the owner of the OU, it signifies a potential persistence technique used by adversaries to obscure malicious activities within the directory. The rule processes these events using various commands to filter, extract, and evaluate actions leading to ACL modifications, essentially flagging entries where users attempt to conceal information from legitimate administrative oversight.