detection.wiki

ATT&CK coverage › Technique

Subvert Trust Controls: SIP and Trust Provider Hijacking T1553.003

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature.

Events covered

2 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)
CAPI281For more details for this event, please refer to the "Details" section

Authoring guide

Patterns shared across the 3 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (6 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Details1eq 1WINTRUST.DLL, mso.dll, C:\Windows\System32\PsfSip.dll
Image1eq 1C:\Windows\System32\poqexec.exe
TargetObject1match 1\CryptSIPDll, \Dll, \SOFTWARE\Microsoft\Cryptography\OID\EncodingType
registry_path1in 1"*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\..., "*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*"
registry_value_name1in 1"$DLL", "Dll"
EventID1eq 181

Top indicator values (18 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
DetailseqC:\Windows\System32\PsfSip.dll1
TargetObjectmatch\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType1
TargetObjectmatch\Dll1
Detailseqmso.dll1
TargetObjectmatch\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\1
TargetObjectmatch\SOFTWARE\Microsoft\Cryptography\OID\EncodingType1
ImageeqC:\Windows\System32\poqexec.exe17
TargetObjectmatch\SOFTWARE\Microsoft\Cryptography\Providers\1
TargetObjectmatch\$DLL1
DetailseqWINTRUST.DLL1
TargetObjectmatch\CryptSIPDll1
registry_value_namein"Dll"1
registry_pathin"*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*"1
registry_pathin"*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*"1
registry_pathin"*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*"1
registry_value_namein"$DLL"1
registry_pathin"*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*"1
EventIDeq811

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 1 rule

Splunk 2 rules