sigmaDRL-1.1from SigmaHQ/sigma
Potential Persistence Via Mpnotify
Detects when an attacker register a new SIP provider for persistence and defense evasion
Quality
98
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml
title: Potential Persistence Via Mpnotify
id: 92772523-d9c1-4c93-9547-b0ca500baba3
status: test
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
- https://persistence-info.github.io/Data/mpnotify.html
- https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify'
condition: selection
falsepositives:
- Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way
level: high