Potential Application Shimming via Sdbinst
The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10The Application Shim was created to allow for backward compatibility of software as the operating system codebase
11changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary
12code execution in legitimate Windows processes.
13"""
14from = "now-9m"
15index = [
16 "winlogbeat-*",
17 "logs-endpoint.events.process-*",
18 "logs-windows.*",
19 "endgame-*",
20 "logs-system.security*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Potential Application Shimming via Sdbinst"
25risk_score = 21
26rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "low"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Persistence",
41 "Data Source: Elastic Endgame",
42 "Data Source: Elastic Defend",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
49 process.args : "?*" and
50 not (process.args : "-m" and process.args : "-bg") and
51 not process.args : "-mm"
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1546"
59name = "Event Triggered Execution"
60reference = "https://attack.mitre.org/techniques/T1546/"
61[[rule.threat.technique.subtechnique]]
62id = "T1546.011"
63name = "Application Shimming"
64reference = "https://attack.mitre.org/techniques/T1546/011/"
65
66
67
68[rule.threat.tactic]
69id = "TA0003"
70name = "Persistence"
71reference = "https://attack.mitre.org/tactics/TA0003/"
72[[rule.threat]]
73framework = "MITRE ATT&CK"
74[[rule.threat.technique]]
75id = "T1546"
76name = "Event Triggered Execution"
77reference = "https://attack.mitre.org/techniques/T1546/"
78[[rule.threat.technique.subtechnique]]
79id = "T1546.011"
80name = "Application Shimming"
81reference = "https://attack.mitre.org/techniques/T1546/011/"
82
83
84
85[rule.threat.tactic]
86id = "TA0004"
87name = "Privilege Escalation"
88reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Adding Hidden File Attribute via Attrib
- Component Object Model Hijacking
- Creation of a Hidden Local User Account
- Execution of Persistent Suspicious Program
- Execution via MSSQL xp_cmdshell Stored Procedure