This detection rule monitors for potentially suspicious changes to access control lists (ACL) on files or folders through PowerShell scripts using the Set-Acl command. It focuses specifically on script blocks that contain terms like "Set-Acl", "-AclObject", and "-Path", indicating that an attempt is being made to modify file or folder permissions via PowerShell. Given that this action can often be associated with defense evasion tactics—where an attacker seeks to modify access rights to facilitate unauthorized access or conceal activities—this detection mechanism is essential for active monitoring of PowerShell scripts execution. Organizations are advised to consider the context of these changes and verify the legitimacy of such PowerShell commands to prevent misuse. Note that the detection has a low false-positive rate, but it may still trigger alerts for benign scripts that perform legitimate ACL modifications.