This analytic rule detects the modification of the Windows registry key responsible for User Account Control (UAC) remote restrictions. Specifically, it monitors for changes where the registry value "LocalAccountTokenFilterPolicy" is set to "0x00000001" under the path "CurrentVersion\Policies\System". Altering this value permits reduced security on remote UAC, which can lead to privilege escalation attacks, allowing malicious actors to execute unauthorized commands with elevated permissions. The rule utilizes data collected from Sysmon, specifically Event IDs 12 and 13, and raises alerts for any instances where this critical registry key is altered. In practice, administrators should ensure that any legitimate changes to this setting are accounted for to mitigate false positives, particularly since non-critical machines might have valid reasons for this modification.