This detection rule identifies modifications to the network logon provider registry on Windows systems. Adversaries may change this registry to incorporate rogue network logon provider modules, enabling them to capture authentication credentials in clear text during user logon sessions. The rule is implemented using EQL (Event Query Language), targeting registry changes in real time. It queries specific Windows registry paths associated with network providers and excludes default providers to minimize false positives. Each detected anomaly triggers a series of investigative steps, including examining the responsible processes and their execution chains, along with assessing the legitimacy of the registered provider DLLs. The response section outlines the necessary actions to take if malicious activity is confirmed, focusing on incident response processes, remediation steps, and enhanced detection measures.