5 min read

Take a SIP: A Refreshing Look at Subject Interface Packages

Deep dive into Windows Subject Interface Packages (SIPs) - how they work, how attackers abuse them for code signing bypass, and how to detect malicious SIP hijacking.

sip code-signing bypass persistence detection splunk

Originally published on the Splunk Security Blog
Read the full article: Take a SIP: Subject Interface Packages

What are SIPs?

Subject Interface Packages (SIPs) are DLLs that tell Windows how to calculate cryptographic hashes for different file types during code signing verification.

When you right-click a file and check its digital signature? A SIP is doing the work.

Why Attackers Care

SIP hijacking lets attackers:

  • Bypass code signing checks - Make unsigned code appear signed
  • Maintain persistence - SIP registration survives reboots
  • Evade detection - Security tools trust signed files

How SIP Hijacking Works

  1. Create malicious SIP DLL - Implements required interfaces
  2. Register SIP - Add registry entries pointing to malicious DLL
  3. Hijack file type - Windows uses malicious SIP for that extension
  4. Profit - Unsigned files pass signature verification

Registry Locations

SIPs are registered under:

HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\
    CryptSIPDllGetSignedDataMsg\{GUID}
    CryptSIPDllVerifyIndirectData\{GUID}

Detection

SIP Registration Changes

index=sysmon EventCode=13 
  TargetObject="*\\Cryptography\\OID\\*SIP*"
| table _time, Computer, TargetObject, Details

New DLLs in SIP Paths

index=sysmon EventCode=11 
  TargetFilename="*\\System32\\*.dll"
| where like(TargetFilename, "%crypt%") OR like(TargetFilename, "%sip%")
| table _time, Computer, TargetFilename

Defense

  • Baseline legitimate SIP registrations
  • Monitor registry changes to cryptography keys
  • Alert on new DLLs in system directories
  • Validate SIP DLL signatures

Read the full analysis: Take a SIP: Subject Interface Packages

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub