This detection rule targets a specific behavioral pattern indicative of a credential dumping attempt utilizing a newly added network provider. Attackers may introduce a network provider to intercept and extract clear text credentials from the system, a technique similar to that employed by the NPPSpy tool. The rule focuses on monitoring process creation events on Windows systems, specifically looking for command lines that reference the addition of network providers within the Windows registry. The rule is comprehensive in its design, considering legitimate use cases but acknowledging that false positives may arise when other network providers are employed. The involvement of command-line arguments associated with the '\System\CurrentControlSet\Services\' directory indicates a possible unauthorized alteration indicating malicious intent. This is a high-level detection rule aimed at safeguarding against credential theft in enterprise environments.