This analytic rule identifies attempts to change a Windows network profile's category to "Private" via registry modifications. The change occurs in the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID} path, specifically modifying the Category value to 1, which denotes a private network profile. This activity is significant because it may allow less restrictive firewall policies, providing a potential foothold for adversaries by enabling lateral movement within a network. While such registry modifications can stem from legitimate administrative actions, the rule highlights the importance of monitoring this particular change, especially when it arises outside of standard IT practices or is correlated with other suspicious behaviors such as unauthorized account access or the use of unsigned binaries. Detection is enabled through Sysmon EventID 13, focusing on registry changes that signal potential post-exploitation activity. This rule possesses heightened relevance in scenarios where registered modifications are executed without proper oversight, thus flags them for further investigation.