Potential Application Shimming via Sdbinst
The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/01"
8
9[rule]
10author = ["Elastic"]
11description = """
12The Application Shim was created to allow for backward compatibility of software as the operating system codebase
13changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary
14code execution in legitimate Windows processes.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Application Shimming via Sdbinst"
21risk_score = 21
22rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "low"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
38 process.args : "?*" and
39 not (process.args : "-m" and process.args : "-bg") and
40 not process.args : "-mm"
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1546"
48name = "Event Triggered Execution"
49reference = "https://attack.mitre.org/techniques/T1546/"
50[[rule.threat.technique.subtechnique]]
51id = "T1546.011"
52name = "Application Shimming"
53reference = "https://attack.mitre.org/techniques/T1546/011/"
54
55
56
57[rule.threat.tactic]
58id = "TA0003"
59name = "Persistence"
60reference = "https://attack.mitre.org/tactics/TA0003/"
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1546"
65name = "Event Triggered Execution"
66reference = "https://attack.mitre.org/techniques/T1546/"
67[[rule.threat.technique.subtechnique]]
68id = "T1546.011"
69name = "Application Shimming"
70reference = "https://attack.mitre.org/techniques/T1546/011/"
71
72
73
74[rule.threat.tactic]
75id = "TA0004"
76name = "Privilege Escalation"
77reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service
- Execution of Persistent Suspicious Program