Skip to content

DET0442 Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking.

Item Value
ID DET0442
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1553.003 (SIP and Trust Provider Hijacking)

Analytics

Windows

AN1222

Detection of anomalous registry modifications to Subject Interface Packages (SIPs) or trust provider DLL mappings, unexpected loading of non-Microsoft cryptographic modules, or attempts to redirect WinVerifyTrust validation logic. Defender view focuses on registry tampering, suspicious DLL loads into trusted processes, and abnormal trust validation failures correlated across event streams.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
File Modification (DC0061) WinEventLog:CodeIntegrity EventCode=3033
Mutable Elements
Field Description
RegistryPathBaselines Monitor for changes in Registry paths.
TimeWindow Correlate between changes in Registry values, system files, and modules loaded.