splunk_escuHunting

Windows SIP Provider Inventory

The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats.

MITRE ATT&CK

T1553.003

Detection Query

`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`

Author

Michael Haag, Splunk

Created

2025-05-02

References

https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1

Tags

Subvert Trust Controls SIP and Trust Provider Hijacking

Raw Content

name: Windows SIP Provider Inventory
id: 21c5af91-1a4a-4511-8603-64fb41df3fad
version: 5
date: '2025-05-02'
author: Michael Haag, Splunk
status: production
type: Hunting
data_source: []
description: The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats.
search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`'
how_to_implement: To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1
known_false_positives: False positives are limited as this is a hunting query for inventory.
references:
    - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1
tags:
    analytic_story:
        - Subvert Trust Controls SIP and Trust Provider Hijacking
    asset_type: Endpoint
    atomic_guid: []
    mitre_attack_id:
        - T1553.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log
          source: powershell://SubjectInterfacePackage
          sourcetype: PwSh:SubjectInterfacePackage