SIP Provider Modification
Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/20"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/17"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the
13Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature
14validation checks or inject code into critical processes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "SIP Provider Modification"
21references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"]
22risk_score = 47
23rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Defense Evasion",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33 "Data Source: Microsoft Defender for Endpoint",
34 "Data Source: SentinelOne",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and
41 registry.path: (
42 "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
43 "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
44 "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll",
45 "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll"
46 ) and
47 registry.data.strings:"*.dll" and
48 not (process.name : "msiexec.exe" and registry.data.strings : "mso.dll") and
49 not (process.name : "regsvr32.exe" and registry.data.strings == "WINTRUST.DLL")
50'''
51
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55[[rule.threat.technique]]
56id = "T1553"
57name = "Subvert Trust Controls"
58reference = "https://attack.mitre.org/techniques/T1553/"
59[[rule.threat.technique.subtechnique]]
60id = "T1553.003"
61name = "SIP and Trust Provider Hijacking"
62reference = "https://attack.mitre.org/techniques/T1553/003/"
63
64
65
66[rule.threat.tactic]
67id = "TA0005"
68name = "Defense Evasion"
69reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Potential Credential Access via Windows Utilities
- Process Execution from an Unusual Directory
- Unusual Child Process from a System Virtual Process
- Adding Hidden File Attribute via Attrib
- Alternate Data Stream Creation/Execution at Volume Root Directory