This detection rule aims to identify unauthorized modifications to the Windows registry setting `LocalAccountTokenFilterPolicy`. By default, this policy is not enabled, but if it exists and is set to `1`, local administrators may receive full high-integrity tokens during remote connections, effectively bypassing User Account Control (UAC). The rule monitors for changes in this registry key to detect potential malicious activity, such as lateral movement or defense evasion tactics used by adversaries. The query evaluates various Windows event logs and registry paths pertaining to the `LocalAccountTokenFilterPolicy`. It looks for changes обозначенные через значения `1` or `0x00000001`, suggesting an attempt to facilitate deeper infiltration into the network.