splunk · patel-bhavin · Oct 13, 2023 · Oct 10, 2023 · Oct 10, 2023 · Oct 10, 2023
@@ -0,0 +1,56 @@
+name: 'Windows Registry SIP Provider Modification'
+id: 3b4e18cb-497f-4073-85ad-1ada7c2107ab
+version: 1
+date: '2023-10-10'
+author: Michael Haag, Splunk
+status: production
+type: TTP
+data_source:
+- Sysmon Event ID 7
+description: 'The following analytic detects modifications to the Windows Registry SIP Provider. It identifies this behavior by monitoring Sysmon Event ID 7, which logs registry modification events. The analytic specifically looks for changes in registry paths and values associated with Cryptography Providers and OID Encoding Types. This behavior is worth identifying as it may indicate an attempt to subvert trust controls, a technique often used by adversaries to bypass security measures and maintain persistence in an environment. If a true positive is found, it suggests an attacker is trying to manipulate the system''s cryptographic functions, potentially leading to unauthorized access, data theft, or other damaging outcomes. Upon triage, review the registry paths and values modified, and look for concurrent processes to identify the attack source. Review the path of the SIP being added. This approach helps analysts detect potential threats earlier and mitigate the risks.'
+search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name)
+  as registry_key_name values(Registry.registry_path) as registry_path min(_time)
+  as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path IN ("*\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\Providers\\*", "*\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType*") Registry.registry_value_name IN ("Dll","$DLL") by
+  Registry.dest , Registry.user Registry.registry_value_name, Registry.registry_value_data | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`
+  | `drop_dm_object_name(Registry)`| `windows_registry_sip_provider_modification_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.
+known_false_positives: Be aware of potential false positives - legitimate applications may cause benign activities to be flagged.
+references:
+  - https://attack.mitre.org/techniques/T1553/003/
+  - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml
+  - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf
+  - https://github.com/gtworek/PSBits/tree/master/SIP
+  - https://github.com/mattifestation/PoCSubjectInterfacePackage
+  - https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/
+tags:
+  analytic_story:
+  - Subvert Trust Controls SIP and Trust Provider Hijacking
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 80
+  impact: 80
+  message: Windows Registry SIP Provider Modification detected on $dest$.
+  mitre_attack_id:
+  - T1553.003
+  observable:
+  - name: dest
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 64
+  required_fields:
+  - Registry.dest
+  - Registry.user
+  - Registry.registry_value_name
+  - Registry.registry_value_data
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: xmlwineventlog
@@ -0,0 +1,45 @@
+name: Windows SIP Provider Inventory
+id: 21c5af91-1a4a-4511-8603-64fb41df3fad
+version: 1
+date: '2023-10-10'
+author: Michael Haag, Splunk
+status: production
+type: Hunting
+data_source: []
+description: The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers.
+search: '`subjectinterfacepackage` Dll=*\\*.dll | stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_sip_provider_inventory_filter`'
+how_to_implement: To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1
+known_false_positives: False positives are limited as this is a hunting query for inventory.
+references:
+- https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1
+tags:
+  analytic_story:
+  - Subvert Trust Controls SIP and Trust Provider Hijacking
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 50
+  impact: 50
+  message: A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$.
+  mitre_attack_id:
+  - T1553.003
+  observable:
+  - name: host
+    type: Endpoint
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 25
+  required_fields:
+  - Path
+  - Dll
+  - host
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/sip_inventory.log
+    source: powershell://SubjectInterfacePackage
+    sourcetype: PwSh:SubjectInterfacePackage
@@ -0,0 +1,52 @@
+name: Windows SIP WinVerifyTrust Failed Trust Validation
+id: 6ffc7f88-415b-4278-a80d-b957d6539e1a
+version: 1
+date: '2023-10-10'
+author: Michael Haag, Splunk
+status: production
+type: Anomaly
+data_source: []
+description: The following analytic utilizes a Windows Event Log - CAPI2 - or CryptoAPI 2, to identify failed trust validation. Typically, this event log is meant for diagnosing PKI issues, however is a great source to identify failed trust validation. Note that this event log is noisy as it captures common PKI requests from many different processes. EventID 81 is generated anytime a trust validation fails. The description for EventID 81 is "The digital signature of the object did not verify." STRT tested this analytic using Mimikatz binary.
+search: '`capi2_operational` EventID=81 "The digital signature of the object did not verify." | xmlkv UserData_Xml | stats count min(_time) as firstTime max(_time) as lastTime by Computer, UserData_Xml | rename Computer as dest | `windows_sip_winverifytrust_failed_trust_validation_filter`'
+how_to_implement: To implement this analytic, one will need to enable the Microsoft-Windows-CAPI2/Operational
+  log within the Windows Event Log. Note this is a debug log for many purposes, and
+  the analytic only focuses in on EventID 81. Review the following gist for additional
+  enabling information.
+known_false_positives: False positives may be present in some instances of legitimate binaries with invalid signatures. Filter as needed.
+references:
+  - https://attack.mitre.org/techniques/T1553/003/
+  - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf
+  - https://github.com/gtworek/PSBits/tree/master/SIP
+  - https://github.com/mattifestation/PoCSubjectInterfacePackage
+  - https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/
+tags:
+  analytic_story:
+  - Subvert Trust Controls SIP and Trust Provider Hijacking
+  asset_type: endpoint
+  atomic_guid: []
+  confidence: 80
+  impact: 80
+  message: Failed trust validation via the CryptoAPI 2 on $dest$ for a binary.
+  mitre_attack_id:
+  - T1553.003
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 64
+  required_fields:
+  - _time
+  - Computer
+  - UserData_Xml
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.003/sip/capi2-operational.log
+    source: XmlWinEventLog:Microsoft-Windows-CAPI2/Operational
+    sourcetype: xmlwineventlog
@@ -0,0 +1,4 @@
+definition: sourcetype="PwSh:SubjectInterfacePackage"
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environmnent.
+name: subjectinterfacepackage
@@ -0,0 +1,23 @@
+name: Subvert Trust Controls SIP and Trust Provider Hijacking
+id: 7faf91b6-532a-4f18-807c-b2761e90b6dc
+version: 1
+date: '2023-10-10'
+author: Michael Haag, Splunk
+description: Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. This technique involves modifying the Dll and FuncName Registry values that point to the dynamic link library (DLL) providing a SIP's function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value, an adversary can apply an acceptable signature value to all files using that SIP. This can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation.
+narrative: In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code. The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats and are identified by globally unique identifiers (GUIDs). Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed.
+references: 
+  - https://attack.mitre.org/techniques/T1553/003/
+  - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml
+  - https://specterops.io/wp-content/uploads/sites/3/2022/06/SpecterOps_Subverting_Trust_in_Windows.pdf
+  - https://github.com/gtworek/PSBits/tree/master/SIP
+  - https://github.com/mattifestation/PoCSubjectInterfacePackage
+  - https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/
+tags:
+  analytic_story: Subvert Trust Controls SIP and Trust Provider Hijacking
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection