This detection rule is designed to identify potential malicious modifications to the Windows registry, specifically targeting the property value of IsCredGuardEnabled. The registry path in focus is HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. When this value is set to disable Credential Guard, it potentially exposes the system to credential theft as it may allow the use of cached logon credentials. The rule leverages the attack technique T1112 from the MITRE ATT&CK framework, which centers around credential dumping involving the manipulation of security features to evade defenses. Additionally, it is noted that this modification is usually exploited in conjunction with UseLogonCredential to further enhance the attacker's capabilities. The detection criterion is straightforward, specifying that the TargetObject must end with the string '\IsCredGuardEnabled'. This rule is categorized under high severity due to the significant risk posed by such modifications.