The rule 'Windows Modify Registry ProxyServer' detects modifications to the Windows registry entries associated with proxy server settings, particularly at the registry path 'Internet Settings\ProxyServer'. Leveraging Sysmon EventID 12 and EventID 13, the detection identifies potential unauthorized changes that could indicate malicious activity, such as an attacker setting up a proxy for covert communication with Command and Control (C2) servers. Since proxy configurations can allow for persistent channels of data exfiltration, monitoring these changes is crucial for endpoint security. This analytic aims to provide visibility into such registry modifications to help detect possible threats early and maintain the integrity of system communications. Administrators should be aware of potential false positives, particularly when legitimate administrator actions involve enabling or disabling proxy settings.