This detection rule aims to identify unauthorized changes made to the registry key \\HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist. Specifically, it focuses on modifications where the value is set to "0". Setting this value to "0" effectively hides a user account from being displayed on the Windows logon screen, thus obscuring the presence of that account from legitimate users and system administrators. The key is often targeted by malicious actors seeking to conceal their actions or establish persistence in a compromised environment. The detection is accomplished by monitoring the process creation events, specifically looking for instances where the command-line execution involves the \\reg.exe tool with specific parameters indicating an attempt to add or modify the registry value related to user account visibility. As the rule is classified with a medium detection level, it highlights the importance of monitoring registry activities that can indicate potential misuse and breaches of administrative controls within Windows systems.