SIP Provider Modification

calendar Oct 21, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne  ·
Share on: linkedin copy

Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/20"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/17"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the
13Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature
14validation checks or inject code into critical processes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "SIP Provider Modification"
21references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"]
22risk_score = 47
23rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca"
24severity = "medium"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Defense Evasion",
30    "Data Source: Elastic Endgame",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon",
33    "Data Source: Microsoft Defender for Endpoint",
34    "Data Source: SentinelOne",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and
41  registry.path: (
42    "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
43    "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
44    "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll",
45    "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll"
46    ) and
47  registry.data.strings:"*.dll" and
48  not (process.name : "msiexec.exe" and registry.data.strings : "mso.dll") and
49  not (process.name : "regsvr32.exe" and registry.data.strings == "WINTRUST.DLL")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1553"
57name = "Subvert Trust Controls"
58reference = "https://attack.mitre.org/techniques/T1553/"
59[[rule.threat.technique.subtechnique]]
60id = "T1553.003"
61name = "SIP and Trust Provider Hijacking"
62reference = "https://attack.mitre.org/techniques/T1553/003/"
63
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top