This detection rule identifies any modifications to the Windows registry key 'DisableRestrictedAdmin', which controls the behavior of Restricted Admin mode. Restricted Admin mode is a Windows feature that helps limit credential exposure during remote desktop connections. If an attacker gains access to modify this registry setting, it may lead to increased risk of credential theft and unauthorized access as it disables an important security feature. The rule leverages Sysmon Event IDs 12 and 13, which track changes to the registry, and is applicable within endpoint security monitoring solutions like Splunk. Confirmed changes may indicate malicious intent and warrant further investigation.