Name:Windows SIP Provider Inventory id:21c5af91-1a4a-4511-8603-64fb41df3fad version:3 date:2024-10-17 author:Michael Haag, Splunk status:production type:Hunting Description:The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats. Data_source:
search:`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`
how_to_implement:To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 known_false_positives:False positives are limited as this is a hunting query for inventory. References: -https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 drilldown_searches:
: tags: analytic_story: - 'Subvert Trust Controls SIP and Trust Provider Hijacking' asset_type:Endpoint atomic_guid: confidence:50 impact:50 message:A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$. mitre_attack_id: - 'T1553.003' observable: name:'host' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' risk_score:25 required_fields: - 'Path' - 'Dll' - 'host' security_domain:endpoint
