This detection rule aims to identify potential persistence mechanisms through the manipulation of security descriptors employed in PowerShell scripts. Specifically, it focuses on the invocation of functions and keywords indicative of such manipulation, which could lead to the establishment of backdoors in a Windows environment. The rule utilizes Script Block Logging, a feature necessary for capturing the relevant PowerShell execution details, including the examination of specific terms like `win32_Trustee`, `win32_Ace`, and methods such as `.SetSecurityDescriptor`. Suspicious elements associated with Local Security Authority (LSA) manipulation, such as `\Lsa\JD`, are also monitored. The detection mechanism is strictly contingent upon identified keywords present in the ScriptBlockText during execution, enhancing the ability to flag malicious attempts that may circumvent traditional security measures. This technique is reminiscent of tactics used in reputable projects like DAMP, which aim to showcase security risks associated with improper security descriptor management.