EXPLORE
Sign In
← Back to Explore
T1553.003

SIP and Trust Provider Hijacking

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVeri...

Windows
5
Detections
3
Sources
0
Threat Actors

BY SOURCE

3splunk_escu1elastic1sigma

PROCEDURES (4)

Persist2 detections

Auto-extracted: 2 detections for persist

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

DETECTIONS (5)

Persistence Via New SIP Provider
sigmamedium
SIP Provider Modification
elasticmedium
Windows Registry SIP Provider Modification
splunk_escu
Windows SIP Provider Inventory
splunk_escu
Windows SIP WinVerifyTrust Failed Trust Validation
splunk_escu