This detection rule monitors for modifications to specific undocumented registry keys within Windows that could allow malicious DLLs to be loaded into the Local Security Authority Subsystem Service (LSASS), potentially leading to credential capture. By examining changes specifically to the keys \CurrentControlSet\Services\NTDS\DirectoryServiceExtPt and \CurrentControlSet\Services\NTDS\LsaDbExtPt, the rule helps to identify attempts to inject unauthorized code into LSASS, which manages sensitive security information. Such modifications are indicative of potentially severe attacks aimed at escalating privileges or gaining unauthorized access to confidential data. The rule utilizes the Endpoint.Registry data model from Sysmon Event IDs 12 and 13 to track these changes, making it a crucial component in maintaining endpoint security.