LoFP / might trigger if a legitimate new sip provider is registered. but this is not a common occurrence in an environment and should be investigated either way

Techniques

Sample rules

Potential Persistence Via Mpnotify

• source: sigma
• technicques:

Description

Detects when an attacker register a new SIP provider for persistence and defense evasion

Detection logic

condition: selection
selection:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\mpnotify