This detection rule is focused on identifying suspicious behavior involving the Windows utility 'sc.exe', which is utilized for managing Windows services. When an attacker seeks to conceal their activities, they may use 'sc.exe' to install a new service that is granted special permissions, effectively allowing them to hide the service from typical user visibility within the service management tools. The rule detects when 'sc.exe' is invoked, particularly looking for command line arguments that include 'sdset', which is used to modify the Security Descriptor of a service. This modification can obscure the service from the user, facilitating malicious persistence mechanisms. The detection mechanism checks for processes with the specified attributes and confirms that both the image name and command line arguments match the criteria outlined. As such, organizations should be alerted when this behavior occurs, as it could indicate an attempt at stealthy persistence and privilege escalation by an adversary. The rule has a medium severity level, indicating a significant risk when triggered, though it does have potential false positives.