Detection of anomalous registry modifications to Subject Interface Packages (SIPs) or trust provider DLL mappings, unexpected loading of non-Microsoft cryptographic modules, or attempts to redirect WinVerifyTrust validation logic. Defender view focuses on registry tampering, suspicious DLL loads into trusted processes, and abnormal trust validation failures correlated across event streams.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Modification (DC0061) | WinEventLog:Application | 81,3033 |
| Field | Description |
|---|---|
| RegistryPathBaselines | Monitor for changes in Registry paths. |
| TimeWindow | Correlate between changes in Registry values, system files, and modules loaded. |