This detection rule identifies any unauthorized modifications to the Service Control Manager (SCManager) security descriptor, particularly focusing on process executions involving the 'sc.exe' binary with the 'sdset' flag aimed at the 'scmanager' service. By utilizing data from Endpoint Detection and Response (EDR) agents, it effectively flags attempts to alter security settings that could lead to privilege escalation by malicious actors. The primary sources of data for this rule include Sysmon EventID 1, Windows Event Log Security EventID 4688, and CrowdStrike ProcessRollup2. The search query tracks processes that match the specified criteria across the data model and highlights suspicious activities by correlating their execution time and associated users.