This detection rule is designed to identify when a hidden user account is created on a Windows operating system. Adversaries sometimes hide user accounts by modifying specific registry settings, particularly the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Registry key. This modification sets the user’s value to 0, effectively preventing the user from appearing on the logon screen. The logic of the detection is executed through a SQL-like query that looks in the EDR (Endpoint Detection and Response) logs for processes that indicate registry changes related to user accounts. The rule has been associated with threat actors known as 'Unfading Sea Haze' and is relevant to malware operations involving Dagon Locker and IcedID. The identification of hidden users can be critical in an incident response context, as it may indicate an ongoing compromise involving unauthorized user access. This detection is particularly relevant for organizations using CrowdStrike's EDR solutions and aims to enhance visibility into potential defense evasion techniques employed by attackers.