This detection rule identifies instances of a NetNTLM downgrade attack, which can allow an attacker to exploit the weaknesses of older NTLM protocols in a Windows environment. The rule specifically monitors the Windows Security event log for Event ID 4657, which signifies changes to registry keys associated with NTLM configuration settings. The relevant registry keys being monitored include 'LmCompatibilityLevel', 'NtlmMinClientSec', and 'RestrictSendingNTLMTraffic'. These settings dictate how NTLM authentication is handled in regards to compatibility and security levels. By detecting changes to these keys, this rule aims to reveal attempts to weaken security postures by enforcing legacy protocol support. Effective auditing must be enabled on the Windows system for this rule to function, specifically the auditing of Object Access related events. Given the nature of the attack and potential impact, this detection is categorized with a high severity level and is crucial in protecting Windows environments from being compromised via misconfigurations associated with NTLM authentication mechanisms.