This detection rule aims to identify unauthorized modifications to the Local Security Authority (LSA) settings related to Security Support Providers (SSPs) in Windows systems. SSPs are DLLs that can intercept authentication processes, potentially offering attackers access to both encrypted and plaintext passwords stored on the system. The rule specifically monitors changes to the registry keys associated with LSA Security Packages. If any updates are detected to these targeted objects, the rule will filter out valid updates from the Windows Installer (msiexec) to minimize false positives. This detection is crucial for identifying potential persistence mechanisms employed by attackers to gain control over the user's credentials and escalate their privileges on a compromised host.