This detection rule identifies the registration of a new SIP (Software Identifier Provider) as a means of maintaining persistence on a Windows system. Attackers may utilize this technique to ensure continued access to a compromised system, effectively bypassing defenses and creating resilient footholds. The rule focuses on registry changes, specifically monitoring certain registry paths that are associated with SIP providers. It looks for specific characteristics in the registry changes to differentiate between potentially malicious actions and benign modifications. Key indicators involve the registration of DLLs, particularly those containing 'poqexec.exe' and SIP-related paths such as 'CryptSIPDll'. The conditions for detection require the presence of certain criteria while excluding well-known safe DLLs. The rule has a medium severity level given its implications in persistence and evasion strategies often employed by attackers.