legitimate sip being registered by the os or different software.

t1553
t1553.003
windows
sigma

Techniques

t1553
t1553.003

Sample rules

Persistence Via New SIP Provider

source: sigma
technicques:
- t1553
- t1553.003

Description

Detects when an attacker register a new SIP provider for persistence and defense evasion

Detection logic

condition: all of selection_* and not 1 of filter*
filter:
  Details:
  - WINTRUST.DLL
  - mso.dll
filter_poqexec:
  Details: C:\Windows\System32\PsfSip.dll
  Image: C:\Windows\System32\poqexec.exe
  TargetObject|contains: \CryptSIPDll
selection_dll:
  TargetObject|contains:
  - \Dll
  - \$DLL
selection_root:
  TargetObject|contains:
  - \SOFTWARE\Microsoft\Cryptography\Providers\
  - \SOFTWARE\Microsoft\Cryptography\OID\EncodingType
  - \SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\
  - \SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType