SIP and Trust Provider Hijacking
Adversaries may tamper with Subject Interface Package (SIP) and trust provider components to mislead the operating system and application control tools during Authenticode signature validation. SIPs provide an abstraction layer between the WinVerifyTrust API and specific file formats, identified by GUIDs in the registry. Adversaries hijack these components by modifying Dll and FuncName registry values under HKLM\SOFTWARE[\WOW6432Node]\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{GUID} (to return a forged known-good certificate) or CryptSIPDllVerifyIndirectData\{GUID} (to always return TRUE for hash validation). Trust providers may be hijacked by modifying $DLL and $Function values under HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{GUID}. This allows malicious or unsigned code to appear validly signed to application whitelisting tools, AppLocker, WDAC, and SmartScreen. Because SIP components are invoked by any process performing signature validation, hijacking them also provides persistent code execution opportunities.
let SIPRegistryPaths = dynamic([
"Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg",
"Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData",
"Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (SIPRegistryPaths)
| where RegistryValueName in~ ("Dll", "FuncName", "$DLL", "$Function")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend SIPType = case(
RegistryKey has "CryptSIPDllGetSignedDataMsg", "SIP-GetSignedDataMsg",
RegistryKey has "CryptSIPDllVerifyIndirectData", "SIP-VerifyIndirectData",
RegistryKey has "Trust\\FinalPolicy", "TrustProvider-FinalPolicy",
"Unknown")
| extend IsWow64Node = RegistryKey has "WOW6432Node"
| extend NewDllPath = RegistryValueData
| extend IsNonSystemDll = not(RegistryValueData has_any (
"C:\\Windows\\System32",
"C:\\Windows\\SysWOW64",
"wintrust.dll",
"mssip32.dll"
))
| project
Timestamp,
DeviceName,
AccountName,
ActionType,
RegistryKey,
RegistryValueName,
NewDllPath,
SIPType,
IsWow64Node,
IsNonSystemDll,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountName,
InitiatingProcessId
| sort by Timestamp descData Sources
Required Tables
False Positives
- Legitimate installation of cryptographic middleware or HSM drivers (SafeNet, Thales, Gemalto) that register custom SIPs for hardware token certificate formats
- Enterprise PKI infrastructure tools (DigiCert, Entrust, Sectigo enrollment agents) that register custom SIP providers as part of their installation
- Security software updates (antivirus, endpoint protection platforms) that modify trust provider DLL references during installation or major version upgrades
- Development tools or code-signing utilities that register custom SIPs for proprietary binary formats during installation (e.g., game engine tools, specialized signing utilities)
References (10)
- https://attack.mitre.org/techniques/T1553/003/
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
- https://github.com/mattifestation/PoCSubjectInterfacePackage
- https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx
- https://msdn.microsoft.com/library/ms537359.aspx
- https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/
- https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files
- https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck
Unlock Pro Content
Get the full detection package for T1553.003 including response playbook, investigation guide, and atomic red team tests.