Techniques
Sample rules
Windows SIP Provider Inventory
- source: splunk
- technicques:
- T1553.003
Description
The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers.
Detection logic
`subjectinterfacepackage` Dll=*\\*.dll
| stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sip_provider_inventory_filter`