Windows SIP Provider Inventory
Description
The following inventory analytic is used with a PowerShell scripted inputs to capture all SIP providers on a Windows system. This analytic is used to identify potential malicious SIP providers that may be used to subvert trust controls. Upon review, look for new and non-standard paths for SIP providers.
- Type: Hunting
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-10-10
- Author: Michael Haag, Splunk
- ID: 21c5af91-1a4a-4511-8603-64fb41df3fad
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`subjectinterfacepackage` Dll=*\\*.dll
| stats count min(_time) as firstTime max(_time) as lastTime values(Dll) by Path host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sip_provider_inventory_filter`
Macros
The SPL above uses the following Macros:
windows_sip_provider_inventory_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- Path
- Dll
- host
How To Implement
To implement this analytic, one must first perform inventory using a scripted inputs. Review the following Gist - https://gist.github.com/MHaggis/75dd5db546c143ea67703d0e86cdbbd1
Known False Positives
False positives are limited as this is a hunting query for inventory.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 25.0 | 50 | 50 | A list of SIP providers on the system is available. Review for new and non-standard paths for SIP providers on $host$. |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1