Potential Application Shimming via Sdbinst
The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/11/02"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12The Application Shim was created to allow for backward compatibility of software as the operating system codebase
13changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary
14code execution in legitimate Windows processes.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26 "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "Potential Application Shimming via Sdbinst"
31risk_score = 21
32rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f"
33severity = "low"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Persistence",
39 "Data Source: Elastic Endgame",
40 "Data Source: Elastic Defend",
41 "Data Source: System",
42 "Data Source: Microsoft Defender for Endpoint",
43 "Data Source: Sysmon",
44 "Data Source: SentinelOne",
45 "Data Source: Crowdstrike",
46]
47timestamp_override = "event.ingested"
48type = "eql"
49
50query = '''
51process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
52 process.args : "?*" and
53 not (process.args : "-m" and process.args : "-bg") and
54 not process.args : "-mm"
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1546"
62name = "Event Triggered Execution"
63reference = "https://attack.mitre.org/techniques/T1546/"
64[[rule.threat.technique.subtechnique]]
65id = "T1546.011"
66name = "Application Shimming"
67reference = "https://attack.mitre.org/techniques/T1546/011/"
68
69
70
71[rule.threat.tactic]
72id = "TA0003"
73name = "Persistence"
74reference = "https://attack.mitre.org/tactics/TA0003/"
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1546"
79name = "Event Triggered Execution"
80reference = "https://attack.mitre.org/techniques/T1546/"
81[[rule.threat.technique.subtechnique]]
82id = "T1546.011"
83name = "Application Shimming"
84reference = "https://attack.mitre.org/techniques/T1546/011/"
85
86
87
88[rule.threat.tactic]
89id = "TA0004"
90name = "Privilege Escalation"
91reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Persistence via TelemetryController Scheduled Task Hijack
- User Account Creation
- Web Shell Detection: Script Process Child of Common Web Processes
- New ActiveSyncAllowedDeviceID Added via PowerShell
- Bypass UAC via Event Viewer