This detection rule identifies attempts to disable Windows Credential Guard, a security feature that uses virtualization-based security to protect sensitive information by isolating secrets. Attackers may seek to disable Credential Guard to access sensitive credentials such as NTLM hashes and Kerberos tickets, which can facilitate lateral movement and privilege escalation within a network. The rule monitors specific registry keys related to Credential Guard and alerts on changes that set registry values to zero (0), indicating a possible configuration alteration aimed at disabling this protection. The focus is on the registry paths for virtualization-based security settings and LSA configuration flags, and any write action to these paths with a value of 0 triggers an alert. The detection has a high severity level due to the potential risks associated with disabling Credential Guard.