Potential Persistence Via Mpnotify

 1title: Potential Persistence Via Mpnotify
 2id: 92772523-d9c1-4c93-9547-b0ca500baba3
 3status: test
 4description: Detects when an attacker register a new SIP provider for persistence and defense evasion
 5references:
 6    - https://persistence-info.github.io/Data/mpnotify.html
 7    - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-07-21
10modified: 2023-08-17
11tags:
12    - attack.persistence
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify'
19    condition: selection
20falsepositives:
21    - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way
22level: high

References

• MPNotify

  MPNotify Location: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Classification: Criteria Value Permissions Admin Security context System Persistence type Registry Code type EXE Launch...

  
  Read More

• YouTube

  

  Share your videos with friends, family, and the world

  
  Read More

Related rules

• A Member Was Added to a Security-Enabled Global Group
• A Member Was Removed From a Security-Enabled Global Group
• A New Trust Was Created To A Domain
• A Security-Enabled Global Group Was Deleted
• AWS ECS Task Definition That Queries The Credential Endpoint