Detects when a non-privileged user changes the password of an Administrator or other high-value local account by monitoring Windows Security Event ID 4723. The rule targets password-change events for well-known admin SIDs (RID 500 or 512,513,518-520) where the SubjectUserSid is not the same as the target object and the subject RID indicates a standard user (>=1000). It aggregates by destination, account, object_id, EventCode, and source, capturing the first and last occurrence times. This pattern aligns with post-exploitation privilege escalation techniques (e.g., BlueHammer) where an attacker temporarily changes an admin password to spawn an authenticated shell and then reverts the password to avoid detection. Implementing this requires normalized, process-level telemetry from EDR/agents, mapped to the Endpoint data model (CIM-compliant), with complete command-line data to contextualize the activity.