Potential Persistence Via Mpnotify

Detects when an attacker register a new SIP provider for persistence and defense evasion

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Mpnotify
 2id: 92772523-d9c1-4c93-9547-b0ca500baba3
 3status: test
 4description: Detects when an attacker register a new SIP provider for persistence and defense evasion
 5references:
 6    - https://persistence-info.github.io/Data/mpnotify.html
 7    - https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/07/21
10modified: 2023/08/17
11tags:
12    - attack.persistence
13logsource:
14    category: registry_set
15    product: windows
16detection:
17    selection:
18        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify'
19    condition: selection
20falsepositives:
21    - Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way
22level: high

References

Related rules

to-top