SIP Provider Modification
Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/20"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the
13Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature
14validation checks or inject code into critical processes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "SIP Provider Modification"
21references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"]
22risk_score = 47
23rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Defense Evasion",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33 "Data Source: Microsoft Defender for Endpoint",
34 "Data Source: SentinelOne",
35 "Resources: Investigation Guide",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41registry where host.os.type == "windows" and event.type == "change" and registry.value : ("Dll", "$Dll") and
42 registry.path: (
43 "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
44 "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
45 "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll",
46 "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll"
47 ) and
48 registry.data.strings:"*.dll" and
49 not (process.name : "msiexec.exe" and registry.data.strings : "mso.dll") and
50 not (process.name : "regsvr32.exe" and registry.data.strings == "WINTRUST.DLL")
51'''
52note = """## Triage and analysis
53
54> **Disclaimer**:
55> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
56
57### Investigating SIP Provider Modification
58
59Subject Interface Package (SIP) providers are integral to Windows' cryptographic system, ensuring file signature validation. Adversaries may modify SIP providers to bypass these checks, facilitating unauthorized code execution. The detection rule identifies suspicious registry changes linked to SIP providers, excluding benign processes, to flag potential defense evasion attempts.
60
61### Possible investigation steps
62
63- Review the registry path and value changes to confirm if they match the suspicious patterns specified in the query, such as modifications under the paths related to CryptSIPDllPutSignedDataMsg or Trust FinalPolicy.
64- Identify the process responsible for the registry change by examining the process name and compare it against the exclusions in the query, ensuring it is not a benign process like msiexec.exe or regsvr32.exe.
65- Investigate the DLL file specified in the registry change to determine its legitimacy, checking its digital signature and origin.
66- Correlate the event with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related suspicious activities or patterns.
67- Assess the risk context by considering the host's role and any recent changes or incidents that might explain the registry modification, ensuring it aligns with expected behavior or authorized changes.
68
69### False positive analysis
70
71- Installation or update processes like msiexec.exe may trigger registry changes as part of legitimate software installations. Exclude these by adding exceptions for msiexec.exe when registry data strings include mso.dll.
72- System maintenance tasks using regsvr32.exe might modify SIP provider-related registry entries. Exclude regsvr32.exe when registry data strings match WINTRUST.DLL to prevent false alerts.
73- Regular updates or patches from trusted software vendors may alter SIP provider registry entries. Monitor and document these changes to establish a baseline of expected behavior, allowing for informed exclusions.
74- Security software or endpoint protection solutions might interact with SIP provider settings as part of their normal operation. Identify and whitelist these processes to reduce unnecessary alerts.
75- Custom enterprise applications with legitimate needs to modify cryptographic settings should be reviewed and, if verified as safe, added to an exclusion list to prevent disruption.
76
77### Response and remediation
78
79- Immediately isolate the affected system from the network to prevent further unauthorized access or code execution.
80- Terminate any suspicious processes identified in the alert, such as those not typically associated with legitimate SIP provider modifications.
81- Restore the modified registry entries to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the SIP providers.
82- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced.
83- Review and update endpoint protection policies to ensure that similar unauthorized modifications are detected and blocked in the future.
84- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
85- Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases."""
86
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90[[rule.threat.technique]]
91id = "T1553"
92name = "Subvert Trust Controls"
93reference = "https://attack.mitre.org/techniques/T1553/"
94[[rule.threat.technique.subtechnique]]
95id = "T1553.003"
96name = "SIP and Trust Provider Hijacking"
97reference = "https://attack.mitre.org/techniques/T1553/003/"
98
99
100
101[rule.threat.tactic]
102id = "TA0005"
103name = "Defense Evasion"
104reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating SIP Provider Modification
Subject Interface Package (SIP) providers are integral to Windows' cryptographic system, ensuring file signature validation. Adversaries may modify SIP providers to bypass these checks, facilitating unauthorized code execution. The detection rule identifies suspicious registry changes linked to SIP providers, excluding benign processes, to flag potential defense evasion attempts.
Possible investigation steps
- Review the registry path and value changes to confirm if they match the suspicious patterns specified in the query, such as modifications under the paths related to CryptSIPDllPutSignedDataMsg or Trust FinalPolicy.
- Identify the process responsible for the registry change by examining the process name and compare it against the exclusions in the query, ensuring it is not a benign process like msiexec.exe or regsvr32.exe.
- Investigate the DLL file specified in the registry change to determine its legitimacy, checking its digital signature and origin.
- Correlate the event with other security logs or alerts from data sources like Sysmon or Microsoft Defender for Endpoint to identify any related suspicious activities or patterns.
- Assess the risk context by considering the host's role and any recent changes or incidents that might explain the registry modification, ensuring it aligns with expected behavior or authorized changes.
False positive analysis
- Installation or update processes like msiexec.exe may trigger registry changes as part of legitimate software installations. Exclude these by adding exceptions for msiexec.exe when registry data strings include mso.dll.
- System maintenance tasks using regsvr32.exe might modify SIP provider-related registry entries. Exclude regsvr32.exe when registry data strings match WINTRUST.DLL to prevent false alerts.
- Regular updates or patches from trusted software vendors may alter SIP provider registry entries. Monitor and document these changes to establish a baseline of expected behavior, allowing for informed exclusions.
- Security software or endpoint protection solutions might interact with SIP provider settings as part of their normal operation. Identify and whitelist these processes to reduce unnecessary alerts.
- Custom enterprise applications with legitimate needs to modify cryptographic settings should be reviewed and, if verified as safe, added to an exclusion list to prevent disruption.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or code execution.
- Terminate any suspicious processes identified in the alert, such as those not typically associated with legitimate SIP provider modifications.
- Restore the modified registry entries to their original state using a known good backup or by manually correcting the entries to ensure the integrity of the SIP providers.
- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious software that may have been introduced.
- Review and update endpoint protection policies to ensure that similar unauthorized modifications are detected and blocked in the future.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Document the incident details, including the steps taken for containment and remediation, to enhance future response efforts and update threat intelligence databases.
References
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL
- Command Shell Activity Started via RunDLL32
- Control Panel Process with Unusual Arguments
- DNS Global Query Block List Modified or Disabled