This detection rule monitors modifications to critical Windows accessibility binaries, notably sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. These binaries are often targeted by attackers aiming to bypass authentication controls or exploit systems for malicious activities. The rule utilizes filesystem activity data from the Endpoint.Filesystem data model to flag unauthorized changes to these files, providing a safeguard against potential attacks that leverage these components to achieve persistence or escalation of privileges. By analyzing Sysmon EventID 11 logs, it detects abnormal changes and alerts security teams of possible unauthorized access attempts. Implementing this rule requires the proper setup of data ingestion from endpoints and an understanding of typical operational changes to these files, in order to minimize false positives.