Techniques
Sample rules
Windows SIP Provider Inventory
- source: splunk
- technicques:
- T1553.003
Description
The following analytic identifies all SIP (Subject Interface Package) providers on a Windows system using PowerShell scripted inputs. It detects SIP providers by capturing DLL paths from relevant events. This activity is significant because malicious SIP providers can be used to bypass trust controls, potentially allowing unauthorized code execution. If confirmed malicious, this activity could enable attackers to subvert system integrity, leading to unauthorized access or persistent threats within the environment. Analysts should review for new and non-standard paths to identify potential threats.
Detection logic
`subjectinterfacepackage` Dll=*\\*.dll
| stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sip_provider_inventory_filter`