Potential Application Shimming via Sdbinst

The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/10"
 6min_stack_version = "8.13.0"
 7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12The Application Shim was created to allow for backward compatibility of software as the operating system codebase
13changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary
14code execution in legitimate Windows processes.
15"""
16from = "now-9m"
17index = [
18    "winlogbeat-*",
19    "logs-endpoint.events.process-*",
20    "logs-windows.forwarded*",
21    "logs-windows.sysmon_operational-*",
22    "endgame-*",
23    "logs-system.security*",
24    "logs-m365_defender.event-*",
25    "logs-sentinel_one_cloud_funnel.*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Potential Application Shimming via Sdbinst"
30risk_score = 21
31rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f"
32severity = "low"
33tags = [
34    "Domain: Endpoint",
35    "OS: Windows",
36    "Use Case: Threat Detection",
37    "Tactic: Persistence",
38    "Data Source: Elastic Endgame",
39    "Data Source: Elastic Defend",
40    "Data Source: System",
41    "Data Source: Microsoft Defender for Endpoint",
42    "Data Source: Sysmon",
43    "Data Source: SentinelOne",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
50  process.args : "?*" and
51  not (process.args : "-m" and process.args : "-bg") and
52  not process.args : "-mm"
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1546"
60name = "Event Triggered Execution"
61reference = "https://attack.mitre.org/techniques/T1546/"
62[[rule.threat.technique.subtechnique]]
63id = "T1546.011"
64name = "Application Shimming"
65reference = "https://attack.mitre.org/techniques/T1546/011/"
66
67
68
69[rule.threat.tactic]
70id = "TA0003"
71name = "Persistence"
72reference = "https://attack.mitre.org/tactics/TA0003/"
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1546"
77name = "Event Triggered Execution"
78reference = "https://attack.mitre.org/techniques/T1546/"
79[[rule.threat.technique.subtechnique]]
80id = "T1546.011"
81name = "Application Shimming"
82reference = "https://attack.mitre.org/techniques/T1546/011/"
83
84
85
86[rule.threat.tactic]
87id = "TA0004"
88name = "Privilege Escalation"
89reference = "https://attack.mitre.org/tactics/TA0004/"

Related rules

to-top