-
Notifications
You must be signed in to change notification settings - Fork 339
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sip Happens: Stirring Up the Crypto with a New Module
- Loading branch information
Showing
2 changed files
with
68 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
name: Windows SIP Provider Inventory | ||
id: 21c5af91-1a4a-4511-8603-64fb41df3fad | ||
version: 1 | ||
date: '2023-10-10' | ||
author: Michael Haag, Splunk | ||
status: production | ||
type: Hunting | ||
data_source: [] | ||
description: The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers. | ||
search: 'sourcetype = PwSh:SubjectInterfacePackage Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`' | ||
how_to_implement: To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 | ||
known_false_positives: False positives are limited as this is a hunting query for inventory. | ||
references: | ||
- https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1 | ||
tags: | ||
analytic_story: | ||
- Subvert Trust Controls SIP and Trust Provider Hijacking | ||
asset_type: endpoint | ||
atomic_guid: [] | ||
confidence: 50 | ||
impact: 50 | ||
message: A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$. | ||
mitre_attack_id: | ||
- T1553.003 | ||
observable: | ||
- name: host | ||
type: Endpoint | ||
role: | ||
- Victim | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
risk_score: 25 | ||
required_fields: | ||
- Path | ||
- Dll | ||
- host | ||
security_domain: endpoint | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log | ||
source: powershell://SubjectInterfacePackage | ||
sourcetype: PwSh:SubjectInterfacePackage |
23 changes: 23 additions & 0 deletions
23
stories/subvert_trust_controls_sip_and_trust_provider_hijacking.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
name: Subvert Trust Controls SIP and Trust Provider Hijacking | ||
id: 7faf91b6-532a-4f18-807c-b2761e90b6dc | ||
version: 1 | ||
date: '2023-10-10' | ||
author: Michael Haag, Splunk | ||
description: Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. | ||
narrative: In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed. | ||
references: | ||
- https://attack.mitre.org/techniques/T1553/003/ | ||
- https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml | ||
- https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf | ||
- https://github.com/gtworek/PSBits/tree/master/SIP | ||
- https://github.com/mattifestation/PoCSubjectInterfacePackage | ||
- https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/ | ||
tags: | ||
analytic_story: Subvert Trust Controls SIP and Trust Provider Hijacking | ||
category: | ||
- Adversary Tactics | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
usecase: Advanced Threat Detection |