This detection rule monitors for unauthorized modifications to Windows accessibility features that could allow adversaries to establish persistence or escalate their privileges using command line utilities such as cmd.exe or PowerShell. The rule operates by looking for specific registry changes that associate common accessibility executables with debugging commands that launch these utilities pre-login. It utilizes Splunk's data querying capabilities to analyze events where EventCode 4103 indicates that the Image File Execution Options have been altered to include debuggers for several accessibility features. The regex pattern in the rule specifically targets entries indicating that cmd.exe or powershell.exe has been set as a debugger for processes like sethc.exe or utilman.exe, which are accessibility tools. By capturing these events, the detection rule helps identify potential adversarial behavior aimed at leveraging accessibility features to maintain control or gain unwarranted access to the system without going through the normal login process. This rule is categorized under techniques related to command execution and event-triggered execution via accessibility features, specifically T1059 and T1546.008, as delineated by the MITRE ATT&CK framework.