This rule detects potential persistence mechanisms involving the Fax DLL in Windows systems. The focus is on monitoring registry settings related to the Microsoft Fax service. When the system restarts, any modifications to the Fax Device Providers or ImageName targeting the fxst30.dll located in the system32 directory could indicate an attempt to maintain persistence by malicious actors. The detection logic uses a selection criterion that scans registry objects for specific paths associated with the Fax service, but excludes benign changes from its logic using a filtering condition targeting the original state of the dll. The high severity level emphasizes the importance of promptly addressing any detections. This rule aims to identify unwarranted changes that could signify lateral movement or evasion tactics typically employed by attackers.