This detection rule identifies potential attempts by adversaries to register malicious password filter DLLs in the Windows Local Security Authority (LSA) by monitoring relevant process activity. Malicious DLLs can be employed to capture user credentials during the authentication process. The detection focuses on the use of the 'add', 'control', and 'lsa' commands that are indicative of modifying the authentication process. The rule specifically examines process activity within a two-hour window, using data from the CrowdStrike Falcon Data Replicator (FDR) for EDR logs. By checking for specific regex patterns in the process names, the rule aims to provide an early warning for potential credential theft and privilege escalation tactics employed by threat actors, in line with the techniques outlined in the MITRE ATT&CK framework.