This detection rule identifies the creation of a local hidden user account in Windows systems through registry modifications monitored by Sysmon. The rule analyzes specific registry entries indicating alterations to the Security Account Manager (SAM), particularly focusing on the path associated with user accounts. The criteria for detection include the presence of a registry object that contains '\SAM\SAM\Domains\Account\Users\Names\', ends with a '$' character (denoting hidden accounts), and verifies that the modification is made by the 'lsass.exe' process - a critical process responsible for enforcing the security policy on the system. By targeting these indicators, the rule aims to flag potential unauthorized changes related to user account persistence, which can signify an attack on the system, allowing for a rapid response to mitigate potential threats. The rule is generally considered high-level due to the risk attached to unauthorized user account access and the potential for persistence in compromise situations.