This rule identifies a suspicious registry modification on Windows systems that disables the Change Password functionality. Specifically, it monitors changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword" with a value of "0x00000001". Such alterations can prevent users from changing their passwords, a tactic frequently exploited by ransomware to maintain control over compromised machines. The detection is crucial because this behavior can hinder user response to a security incident, consequently allowing an attacker to maintain a foothold and potentially escalate privileges within the network. Effective detection relies on the ingestion of Sysmon EventID 12 and 13 logs. The rule emphasizes the importance of monitoring registry changes to safeguard systems from potential threats effectively.