This rule detects the creation of a local user account through PowerShell by monitoring for the use of the `New-LocalUser` command within script blocks. The detection relies upon Script Block Logging being enabled on Windows systems. If the specified command is found, it indicates that a new local user may have been created, which can be a potential indicator of malicious activity such as account compromise or unauthorized access. The output from this rule can assist security teams in identifying suspicious administration tasks being performed in the environment. False positives may occur during legitimate user account management operations.