/
registry_set_sip_persistence.yml
42 lines (42 loc) · 1.52 KB
/
registry_set_sip_persistence.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
title: Persistence Via New SIP Provider
id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1
status: experimental
description: Detects when an attacker register a new SIP provider for persistence and defense evasion
references:
- https://persistence-info.github.io/Data/codesigning.html
- https://github.com/gtworek/PSBits/tree/master/SIP
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/07/21
modified: 2023/08/17
tags:
- attack.persistence
- attack.defense_evasion
- attack.t1553.003
logsource:
category: registry_set
product: windows
detection:
selection_root:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Cryptography\Providers\'
- '\SOFTWARE\Microsoft\Cryptography\OID\EncodingType'
- '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\'
- '\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType'
selection_dll:
TargetObject|contains:
- '\Dll'
- '\$DLL'
filter:
Details:
# Add more legitimate SIP providers according to your env
- WINTRUST.DLL
- mso.dll
filter_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
TargetObject|contains: '\CryptSIPDll'
Details: 'C:\Windows\System32\PsfSip.dll'
condition: all of selection_* and not 1 of filter*
falsepositives:
- Legitimate SIP being registered by the OS or different software.
level: medium