This detection rule is designed to identify the creation of hidden local user accounts on Windows systems, specifically monitoring for Event ID 4720. Hidden accounts typically have names that end with a '$' character, indicating they are system accounts. Such accounts should not be created under normal circumstances, making their detection critical for maintaining security and preventing unauthorized access. This rule includes a selection filter that captures the creation of these hidden accounts but deliberately excludes any accounts named 'HomeGroupUser$', which is a legitimate account used by Windows HomeGroup. The presence of a hidden account may signal malicious activity, such as lateral movement or persistence mechanisms employed by threat actors. This makes it imperative for security teams to investigate such occurrences immediately. The rule's configuration is set to a high priority due to the potential risks associated with hidden user accounts. Documentation and references for the detection rule can be found in various resources, including the link provided in the references section.