This detection rule is aimed at identifying unauthorized modifications to the Windows Registry related to LSA (Local Security Authority) authentication packages. Adversaries often leverage this mechanism to establish persistence or escalate privileges by adding references to malicious binaries within the LSA authentication package configurations stored in the registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\. By detecting changes to this registry key, security teams can spot potential signs of compromise. The rule utilizes specific event codes from PowerShell logs and searches for relevant commands that may indicate illicit modifications such as the use of Set-ItemProperty and the addition of keys related to the LSA authentication packages. If such activity is detected, an alert will be generated, providing a critical insight into possible malicious actions taken by adversaries.