This detection rule aims to identify potentially malicious activity regarding the modification of service permissions via the `Set-Service` PowerShell cmdlet, specifically changes to the Security Descriptor Access Control List (DACL) that may hide services from common service management tools like `sc.exe` and `Get-Service`. The rule targets environments running PowerShell 7 where these cmdlets can be employed. By evaluating script blocks executed in PowerShell, the rule captures the presence of specific flags in the command, indicating a possible attempt to alter the visibility and accessibility of services, which can be a tactic employed by attackers to evade detection and maintain persistence. The detection mechanism relies on script block logging being enabled to monitor and analyze PowerShell commands effectively. False positives may occur due to legitimate, albeit rare, use cases of hidden services or the idiosyncratic nature of the log entries.