SIP Provider Modification
Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/20"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the
11Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature
12validation checks or inject code into critical processes.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "SIP Provider Modification"
19references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"]
20risk_score = 47
21rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca"
22severity = "medium"
23tags = [
24 "Domain: Endpoint",
25 "OS: Windows",
26 "Use Case: Threat Detection",
27 "Tactic: Defense Evasion",
28 "Data Source: Elastic Endgame",
29 "Data Source: Elastic Defend",
30 "Data Source: Sysmon",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36registry where host.os.type == "windows" and event.type:"change" and
37 registry.path: (
38 "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
39 "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
40 "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll",
41 "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll"
42 ) and
43 registry.data.strings:"*.dll"
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1553"
51name = "Subvert Trust Controls"
52reference = "https://attack.mitre.org/techniques/T1553/"
53[[rule.threat.technique.subtechnique]]
54id = "T1553.003"
55name = "SIP and Trust Provider Hijacking"
56reference = "https://attack.mitre.org/techniques/T1553/003/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks. - mattifestation/PoCSubjectInterfacePackage
Read More
Related rules
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate
- DNS-over-HTTPS Enabled via Registry