The rule detects potential abuse of the PowerShell cmdlet "Set-Service" to alter the Security Descriptor of Windows services, allowing them to become hidden from standard tools like "sc.exe" or "Get-Service". This technique is often used by attackers to persistently hide services that could reveal their presence on a system, thereby enhancing their stealth and evasion capabilities. The detection works specifically in PowerShell version 7 and relies on Script Block Logging being enabled. The detection logic is based on monitoring the ScriptBlockText for specific keywords associated with the cmdlet and its parameters. It flags any instances where "Set-Service" is invoked along with the settings that conceal service visibility. Potential false positives may arise from legitimate uses of hidden services or logging anomalies due to the nature of ScriptBlockText logging. The rule is classified under various ATT&CK tactics including persistence, defense evasion, and privilege escalation (T1574.011).