This detection rule identifies modifications to the DNS Global Query Block List (GQBL), a crucial security feature aimed at preventing the resolution of DNS names commonly exploited in attacks, particularly those exploiting the Web Proxy Auto-Discovery (WPAD) protocol. Elevating privileges allowed to certain user accounts, such as DNSAdmins, can enable attackers to alter or deactivate the GQBL, which plays a vital role in obstructing privilege escalation and lateral movement. The EQL query monitors changes in relevant registry settings, specifically looking for deactivation indicators of the GQBL or removal of critical entries like WPAD. The rule aims to enhance endpoint security by flagging such modifications, lending visibility into potential defensive evasion attemp