Installation of Custom Shim Databases

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been
 13abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
 14"""
 15from = "now-9m"
 16index = ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Installation of Custom Shim Databases"
 20risk_score = 47
 21rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10"
 22severity = "medium"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Persistence",
 28    "Data Source: Elastic Defend",
 29    "Data Source: Sysmon",
 30    "Data Source: Microsoft Defender for Endpoint",
 31    "Data Source: SentinelOne",
 32    "Data Source: Elastic Endgame",
 33    "Resources: Investigation Guide",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39registry where host.os.type == "windows" and event.type == "change" and
 40    registry.path : (
 41        "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb",
 42        "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb",
 43        "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"
 44    ) and
 45    not process.executable :
 46                       ("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe",
 47                        "?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe",
 48                         "?:\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe",
 49                         "?:\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe",
 50                         "?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe")
 51'''
 52note = """## Triage and analysis
 53
 54> **Disclaimer**:
 55> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 56
 57### Investigating Installation of Custom Shim Databases
 58
 59Application Compatibility Shim databases are used in Windows to ensure older applications run smoothly on newer OS versions by applying compatibility fixes. However, attackers can exploit this feature to maintain persistence and execute arbitrary code by installing malicious shim databases. The detection rule identifies changes in specific registry paths associated with these databases, excluding known legitimate processes, to flag potential abuse.
 60
 61### Possible investigation steps
 62
 63- Review the registry path changes identified in the alert to confirm the presence of any unexpected or unauthorized .sdb files in the specified registry paths.
 64- Investigate the process that made the registry change by examining the process executable path and comparing it against the list of known legitimate processes excluded in the query.
 65- Check the historical activity of the process responsible for the change to identify any patterns or anomalies that might indicate malicious behavior.
 66- Analyze the context around the time of the registry change, including other system events or alerts, to identify any related suspicious activities.
 67- If a suspicious .sdb file is found, conduct a file analysis to determine its purpose and whether it contains any malicious code or configurations.
 68- Consult threat intelligence sources to see if there are any known threats or campaigns associated with the identified process or .sdb file.
 69
 70### False positive analysis
 71
 72- Known legitimate processes such as SAP and Kaspersky applications may trigger false positives due to their use of shim databases. These processes are already excluded in the detection rule to minimize unnecessary alerts.
 73- If additional legitimate applications are identified as causing false positives, users can update the exclusion list by adding the specific process executable paths to the rule.
 74- Regularly review and update the exclusion list to ensure it reflects the current environment and any new legitimate applications that may use shim databases.
 75- Monitor the frequency and context of alerts to distinguish between benign and potentially malicious activities, adjusting the rule as necessary to reduce noise.
 76- Engage with application owners to verify the legitimacy of processes that frequently trigger alerts, ensuring that only trusted applications are excluded.
 77
 78### Response and remediation
 79
 80- Immediately isolate the affected system from the network to prevent further propagation or communication with potential command and control servers.
 81- Terminate any suspicious processes identified as responsible for the installation of the custom shim database, ensuring they are not legitimate processes mistakenly flagged.
 82- Remove the malicious shim database entries from the registry paths specified in the detection query to eliminate persistence mechanisms.
 83- Conduct a thorough scan of the affected system using updated antivirus and endpoint detection tools to identify and remove any additional malware or unauthorized changes.
 84- Review and restore any altered system configurations or files to their original state to ensure system integrity.
 85- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 86- Implement enhanced monitoring and logging for the specified registry paths and associated processes to detect and respond to similar threats in the future."""
 87
 88
 89[[rule.threat]]
 90framework = "MITRE ATT&CK"
 91[[rule.threat.technique]]
 92id = "T1546"
 93name = "Event Triggered Execution"
 94reference = "https://attack.mitre.org/techniques/T1546/"
 95[[rule.threat.technique.subtechnique]]
 96id = "T1546.011"
 97name = "Application Shimming"
 98reference = "https://attack.mitre.org/techniques/T1546/011/"
 99
100
101
102[rule.threat.tactic]
103id = "TA0003"
104name = "Persistence"
105reference = "https://attack.mitre.org/tactics/TA0003/"