This detection rule identifies attempts to modify the WDigest security provider in the Windows registry, which may indicate an adversary attempting to store user passwords in clear text in memory. The rule specifically monitors changes to the `UseLogonCredential` registry key under the WDigest provider. Normally, modern Windows versions do not store logon credentials in plaintext, but attackers can manipulate this configuration to enable insecure password management. A successful modification alerts analysts to investigate potential credential dumping activities, often associated with malicious software like Mimikatz. The rule uses an EQL (Event Query Language) query to look for registry creation events related to this key over the last nine months, filtering out unlikely legitimate changes. Key investigation steps include analyzing script execution chains, checking for other alerts associated with the affected user or host, and evaluating the presence of credential dumping tools, thus necessitating swift incident response actions to mitigate any risks and recover compromised credentials.