Detect SIP and Trust Provider Hijacking in Sumo Logic CSE
Adversaries may tamper with Subject Interface Package (SIP) and trust provider components to mislead the operating system and application control tools during Authenticode signature validation. SIPs provide an abstraction layer between the WinVerifyTrust API and specific file formats, identified by GUIDs in the registry. Adversaries hijack these components by modifying Dll and FuncName registry values under HKLM\SOFTWARE[\WOW6432Node]\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{GUID} (to return a forged known-good certificate) or CryptSIPDllVerifyIndirectData\{GUID} (to always return TRUE for hash validation). Trust providers may be hijacked by modifying $DLL and $Function values under HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{GUID}. This allows malicious or unsigned code to appear validly signed to application whitelisting tools, AppLocker, WDAC, and SmartScreen. Because SIP components are invoked by any process performing signature validation, hijacking them also provides persistent code execution opportunities.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Sub-technique
- T1553.003 SIP and Trust Provider Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1553/003/
Sumo Detection Query
_sourceCategory="windows/sysmon" EventCode=13
| where TargetObject matches "*CryptSIPDllGetSignedDataMsg*"
OR TargetObject matches "*CryptSIPDllVerifyIndirectData*"
OR TargetObject matches "*Trust\\FinalPolicy*"
| where TargetObject matches "*\\Dll"
OR TargetObject matches "*\\FuncName"
OR TargetObject matches "*\\$DLL"
OR TargetObject matches "*\\$Function"
| if (TargetObject matches "*CryptSIPDllGetSignedDataMsg*", "SIP-GetSignedDataMsg",
if (TargetObject matches "*CryptSIPDllVerifyIndirectData*", "SIP-VerifyIndirectData",
if (TargetObject matches "*Trust\\FinalPolicy*", "TrustProvider-FinalPolicy", "Unknown"))) as SIPType
| if (TargetObject matches "*WOW6432Node*", "true", "false") as IsWow64
| if (!Details matches /(?i)(windows\\system32|windows\\syswow64|wintrust\.dll|mssip32\.dll)/, "true", "false") as IsNonSystemDll
| table _messageTime, Computer, User, Image, CommandLine, TargetObject, Details, SIPType, IsWow64, IsNonSystemDll
| sort by _messageTimeDetects Sysmon EventCode 13 (RegistryValueSet) targeting SIP and Trust Provider registry paths in Sumo Logic. Enriches events with SIP component type classification, WOW64 node flag, and a boolean indicating whether the DLL path being written falls outside trusted Windows system directories — the primary indicator of malicious SIP hijacking.
Data Sources
Required Tables
False Positives & Tuning
- Security software vendors (antivirus, DLP products) that register custom SIP DLL handlers to inspect additional file types during Authenticode validation as part of their product functionality
- Custom in-house build tooling or CI/CD agents that register proprietary file format SIP providers during initial agent setup on build servers
- Windows cumulative updates modifying trust provider registrations when patching the cryptographic subsystem, particularly wintrust.dll version upgrades distributed via Windows Update
Other platforms for T1553.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SIP CryptSIPDllVerifyIndirectData Hijack — PE SIP Verify Function Override
Expected signal: Sysmon Event ID 13 (Registry Value Set): Two sequential events with TargetObject = HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\Dll and ...\FuncName. Details field shows C:\Windows\System32\ntdll.dll and DbgUiContinue respectively. Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceRegistryEvents in MDE: ActionType=RegistryValueSet, InitiatingProcessFileName=powershell.exe.
- Test 2SIP CryptSIPDllGetSignedDataMsg Hijack via reg.exe — PE SIP Certificate Retrieval Override
Expected signal: Sysmon Event ID 1 (Process Create): reg.exe with CommandLine containing 'CryptSIPDllGetSignedDataMsg' and '/v Dll'. Sysmon Event ID 13 (Registry Value Set): Two events for the Dll and FuncName values under CryptSIPDllGetSignedDataMsg\{C689AAB8...}, Details shows ntdll.dll and DbgPrintEx. Security Event ID 4688 (if command line auditing enabled): reg.exe process creation with command line. DeviceProcessEvents in MDE: FileName=reg.exe with full command line.
- Test 3Trust Provider FinalPolicy Registry Hijack — Software Publishing Trust Provider
Expected signal: Sysmon Event ID 13 (Registry Value Set): Two sequential events with TargetObject = HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL and ...\$Function. Details field shows C:\Windows\System32\ntdll.dll and DbgUiContinue. Image=powershell.exe. DeviceRegistryEvents in MDE: RegistryKey contains Trust\FinalPolicy, RegistryValueName=$DLL and $Function, ActionType=RegistryValueSet.
References (10)
- https://attack.mitre.org/techniques/T1553/003/
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
- https://github.com/mattifestation/PoCSubjectInterfacePackage
- https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx
- https://msdn.microsoft.com/library/ms537359.aspx
- https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/
- https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files
- https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck
Unlock Pro Content
Get the full detection package for T1553.003 including response playbook, investigation guide, and atomic red team tests.