This detection rule targets potential credential dumping activities by monitoring for unauthorized modifications to Windows registry values associated with network providers. A network provider is a component that enables communication and resource sharing on a Windows system. Cyber adversaries can exploit these components by creating rogue network providers to capture sensitive authentication information, which may include usernames and passwords. This rule specifically detects processes that utilize command-line tools such as 'reg.exe' and 'powershell.exe' to alter the privacy-configured registry settings. By filtering registry accesses pertaining to the paths for network providers, this rule identifies suspicious behavior indicative of credential dumping techniques, particularly reflecting Atomic Test T1003 Test #2 for credential access.