This detection rule focuses on the manipulation of local accounts via PowerShell on Windows systems. Adversaries may exploit account manipulation techniques such as disabling, enabling, creating, renaming, and removing local user accounts to maintain access to compromised systems. The specified detection requires Script Block Logging to be enabled, which logs the content of PowerShell scripts executed in the environment. The rule specifies a selection pattern to capture PowerShell commands that modify user accounts, which could indicate malicious activity if executed under suspicious circumstances. Given the potential for false positives from legitimate administrative scripts, analysts are advised to review context around detected events to determine if they are truly indicative of compromise or just routine administrative actions. References provide additional context on both the techniques used in these manipulations and PowerShell's local account management capabilities.