This analytic detection rule monitors for changes to a specific Windows registry path that enables remote desktop assistance, which is often used by attackers to gain unauthorized access to a machine. The rule is based on data collected from Sysmon event logs, specifically Event ID 12 and Event ID 13, and focuses on modifications to the 'Control\Terminal Server\fAllowToGetHelp' key. Such modifications are notable as they are not commonly made by legitimate users or administrators, and their occurrence can be indicative of malicious activities, particularly when associated with malware like Azorult that is known to exploit remote access features. If confirmed, this behavior could facilitate remote access, leading to potential data breaches or further exploitation of the host system.