In order to establish persistence, and attacker can modify the OS Authentication Package binaries to use their own malware. See https://attack.mitre.org/wiki/Technique/T1131 for details. The key in question is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages. The value of this key should only be msv1_0