This detection rule targets the creation of hidden local user accounts on Windows systems, specifically focusing on accounts with names that end with a dollar sign ($). Such an account naming convention is commonly used by attackers to obscure their presence and evade detection tools that enumerate user accounts, as these hidden accounts are not visible in standard user listings. The rule uses data from the Windows registry to monitor and identify changes that indicate a hidden account has been created. The investigation process encourages detailed analysis of account activities, monitoring of the process execution chain, and a comprehensive review of associated alerts, emphasizing the importance of identifying the legitimacy of the action and the involved user. Significant caution is warranted as the creation of hidden accounts is rare in legitimate use cases, thus typically raising red flags for potential malicious activity.