This detection rule identifies attempts to tamper with Windows Credential Guard by monitoring command line activity that modifies or deletes critical registry keys related to security features. Credential Guard utilizes virtualization-based security to safeguard sensitive information such as NTLM hashes and Kerberos tickets from unauthorized access. Attackers may seek to disable this feature to facilitate credential theft, thereby enabling lateral movement and privilege escalation within a targeted environment. The rule focuses on process creation events involving command line tools like Reg.exe and PowerShell, specifically looking for commands that interact with registry paths associated with DeviceGuard and LSA. Key registry values such as EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, and LsaCfgFlags are monitored for changes that could indicate malicious activity. A successful match implies a potential security threat, as it suggests an effort to compromise Credential Guard and related security measures.