This detection rule identifies attempts to disable Windows Credential Guard by monitoring specific registry key deletions. Windows Credential Guard is a security feature that utilizes virtualization to protect sensitive information such as NTLM hashes and Kerberos tickets. By isolating these secrets, it makes them accessible only to authorized system processes. Attackers may seek to delete crucial registry values to disable this feature, thus allowing them to access sensitive credentials and potentially facilitating lateral movements within a network or escalating privileges on compromised systems. The rule inspects registry deletion events for specific keys indicative of attempts to disable Credential Guard. If any of these keys are deleted, it raises an alert, informing security teams of potential malicious actions.