SIP Provider Modification
Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/20"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the
13Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature
14validation checks or inject code into critical processes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "SIP Provider Modification"
21references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"]
22risk_score = 47
23rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30registry where host.os.type == "windows" and event.type:"change" and
31 registry.path: (
32 "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
33 "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{*}\\Dll",
34 "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll",
35 "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{*}\\$Dll"
36 ) and
37 registry.data.strings:"*.dll"
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1553"
45name = "Subvert Trust Controls"
46reference = "https://attack.mitre.org/techniques/T1553/"
47[[rule.threat.technique.subtechnique]]
48id = "T1553.003"
49name = "SIP and Trust Provider Hijacking"
50reference = "https://attack.mitre.org/techniques/T1553/003/"
51
52
53
54[rule.threat.tactic]
55id = "TA0005"
56name = "Defense Evasion"
57reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks. - mattifestation/PoCSubjectInterfacePackage
Read More
Related rules
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate
- DNS-over-HTTPS Enabled via Registry