This detection rule is designed to identify potentially malicious changes to Windows service security descriptors by detecting the addition of deny access control entries (ACEs) through the execution of the 'sc.exe' command with the 'sdset' parameter. The rule utilizes log data collected from Endpoint Detection and Response (EDR) agents to monitor for this specific action. When an attacker aims to escalate privileges or evade security controls, they may manipulate service permissions, which this analytic helps to capture. The search criteria target processes named 'sc.exe' where changes to the security descriptor include adding deny ACEs for various user groups or accounts, indicating a possible tampering activity that could enable an attacker to obscure their actions within the system.