This detection rule targets potential credential dumping attempts that utilize the insertion of a new network provider within Windows. This technique is known to be leveraged by malicious actors to capture plaintext credentials from users or systems, functioning similarly to tools like NPPSpy. The detection operates by monitoring changes to the registry, specifically looking for new entries related to network providers. The rule is designed to trigger an alert when a new network provider is added to the system registry, provided that the addition does not match a predefined list of legitimate services. This helps reduce false positives tied to normal administrative activities while remaining vigilant against unauthorized credential access attempts. The rule utilizes a combination of selection and filtering criteria to ensure that only suspicious activity is flagged, making it an essential part of a proactive security posture against credential theft in Windows environments.