Techniques
Sample rules
Persistence Via New SIP Provider
- source: sigma
- technicques:
- t1553
- t1553.003
Description
Detects when an attacker register a new SIP provider for persistence and defense evasion
Detection logic
condition: all of selection_* and not 1 of filter*
filter:
Details:
- WINTRUST.DLL
- mso.dll
filter_poqexec:
Details: C:\Windows\System32\PsfSip.dll
Image: C:\Windows\System32\poqexec.exe
TargetObject|contains: \CryptSIPDll
selection_dll:
TargetObject|contains:
- \Dll
- \$DLL
selection_root:
TargetObject|contains:
- \SOFTWARE\Microsoft\Cryptography\Providers\
- \SOFTWARE\Microsoft\Cryptography\OID\EncodingType
- \SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\
- \SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType