T1553.003 Microsoft Sentinel · KQL

Detect SIP and Trust Provider Hijacking in Microsoft Sentinel

Adversaries may tamper with Subject Interface Package (SIP) and trust provider components to mislead the operating system and application control tools during Authenticode signature validation. SIPs provide an abstraction layer between the WinVerifyTrust API and specific file formats, identified by GUIDs in the registry. Adversaries hijack these components by modifying Dll and FuncName registry values under HKLM\SOFTWARE[\WOW6432Node]\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{GUID} (to return a forged known-good certificate) or CryptSIPDllVerifyIndirectData\{GUID} (to always return TRUE for hash validation). Trust providers may be hijacked by modifying $DLL and $Function values under HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{GUID}. This allows malicious or unsigned code to appear validly signed to application whitelisting tools, AppLocker, WDAC, and SmartScreen. Because SIP components are invoked by any process performing signature validation, hijacking them also provides persistent code execution opportunities.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Sub-technique
T1553.003 SIP and Trust Provider Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1553/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SIPRegistryPaths = dynamic([
    "Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg",
    "Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData",
    "Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy"
]);
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (SIPRegistryPaths)
| where RegistryValueName in~ ("Dll", "FuncName", "$DLL", "$Function")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend SIPType = case(
    RegistryKey has "CryptSIPDllGetSignedDataMsg", "SIP-GetSignedDataMsg",
    RegistryKey has "CryptSIPDllVerifyIndirectData", "SIP-VerifyIndirectData",
    RegistryKey has "Trust\\FinalPolicy", "TrustProvider-FinalPolicy",
    "Unknown")
| extend IsWow64Node = RegistryKey has "WOW6432Node"
| extend NewDllPath = RegistryValueData
| extend IsNonSystemDll = not(RegistryValueData has_any (
    "C:\\Windows\\System32",
    "C:\\Windows\\SysWOW64",
    "wintrust.dll",
    "mssip32.dll"
  ))
| project
    Timestamp,
    DeviceName,
    AccountName,
    ActionType,
    RegistryKey,
    RegistryValueName,
    NewDllPath,
    SIPType,
    IsWow64Node,
    IsNonSystemDll,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessAccountName,
    InitiatingProcessId
| sort by Timestamp desc
critical severity high confidence

Detects modifications to SIP (Subject Interface Package) and trust provider registry keys that control Windows Authenticode signature validation. Monitors HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0 under both CryptSIPDllGetSignedDataMsg and CryptSIPDllVerifyIndirectData for Dll/FuncName value changes, and Cryptography\Providers\Trust\FinalPolicy for $DLL/$Function value changes. The IsNonSystemDll flag (true = suspicious) highlights modifications pointing outside System32/SysWOW64, which is the strongest indicator of malicious DLL substitution. Covers both 64-bit and WOW6432Node (32-bit) registry paths.

Data Sources

Windows Registry: Registry Key ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceRegistryEvents

False Positives & Tuning

  • Legitimate installation of cryptographic middleware or HSM drivers (SafeNet, Thales, Gemalto) that register custom SIPs for hardware token certificate formats
  • Enterprise PKI infrastructure tools (DigiCert, Entrust, Sectigo enrollment agents) that register custom SIP providers as part of their installation
  • Security software updates (antivirus, endpoint protection platforms) that modify trust provider DLL references during installation or major version upgrades
  • Development tools or code-signing utilities that register custom SIPs for proprietary binary formats during installation (e.g., game engine tools, specialized signing utilities)
Download portable Sigma rule (.yml)

Other platforms for T1553.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SIP CryptSIPDllVerifyIndirectData Hijack — PE SIP Verify Function Override

    Expected signal: Sysmon Event ID 13 (Registry Value Set): Two sequential events with TargetObject = HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll and ...\FuncName. Details field shows C:\Windows\System32\ntdll.dll and DbgUiContinue respectively. Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceRegistryEvents in MDE: ActionType=RegistryValueSet, InitiatingProcessFileName=powershell.exe.

  2. Test 2SIP CryptSIPDllGetSignedDataMsg Hijack via reg.exe — PE SIP Certificate Retrieval Override

    Expected signal: Sysmon Event ID 1 (Process Create): reg.exe with CommandLine containing 'CryptSIPDllGetSignedDataMsg' and '/v Dll'. Sysmon Event ID 13 (Registry Value Set): Two events for the Dll and FuncName values under CryptSIPDllGetSignedDataMsg\{C689AAB8...}, Details shows ntdll.dll and DbgPrintEx. Security Event ID 4688 (if command line auditing enabled): reg.exe process creation with command line. DeviceProcessEvents in MDE: FileName=reg.exe with full command line.

  3. Test 3Trust Provider FinalPolicy Registry Hijack — Software Publishing Trust Provider

    Expected signal: Sysmon Event ID 13 (Registry Value Set): Two sequential events with TargetObject = HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL and ...\$Function. Details field shows C:\Windows\System32\ntdll.dll and DbgUiContinue. Image=powershell.exe. DeviceRegistryEvents in MDE: RegistryKey contains Trust\FinalPolicy, RegistryValueName=$DLL and $Function, ActionType=RegistryValueSet.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1553.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper BypassT1553.002Code SigningT1553.004Install Root CertificateT1553.005Mark-of-the-Web BypassT1553.006Code Signing Policy Modification

Related Techniques

T1553Subvert Trust ControlsT1553.002Code SigningT1574.001DLLT1574.002DLL Side-LoadingT1112Modify RegistryT1218System Binary Proxy ExecutionT1562.001Disable or Modify ToolsT1036.001Invalid Code Signature

Same Tactic: Defense Evasion

Popular Detections