← Back to Explore
sigmahighHunting
Potential Persistence Via Mpnotify
Detects when an attacker register a new SIP provider for persistence and defense evasion
Detection Query
selection:
TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-07-21
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.persistence
Raw Content
title: Potential Persistence Via Mpnotify
id: 92772523-d9c1-4c93-9547-b0ca500baba3
status: test
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
- https://persistence-info.github.io/Data/mpnotify.html
- https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify'
condition: selection
falsepositives:
- Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way
level: high