Potential Application Shimming via Sdbinst
The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/10"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12The Application Shim was created to allow for backward compatibility of software as the operating system codebase
13changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary
14code execution in legitimate Windows processes.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-endpoint.events.process-*",
20 "logs-windows.forwarded*",
21 "logs-windows.sysmon_operational-*",
22 "endgame-*",
23 "logs-system.security*",
24 "logs-m365_defender.event-*",
25 "logs-sentinel_one_cloud_funnel.*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Potential Application Shimming via Sdbinst"
30risk_score = 21
31rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f"
32severity = "low"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Persistence",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40 "Data Source: System",
41 "Data Source: Microsoft Defender for Endpoint",
42 "Data Source: Sysmon",
43 "Data Source: SentinelOne",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49process where host.os.type == "windows" and event.type == "start" and process.name : "sdbinst.exe" and
50 process.args : "?*" and
51 not (process.args : "-m" and process.args : "-bg") and
52 not process.args : "-mm"
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1546"
60name = "Event Triggered Execution"
61reference = "https://attack.mitre.org/techniques/T1546/"
62[[rule.threat.technique.subtechnique]]
63id = "T1546.011"
64name = "Application Shimming"
65reference = "https://attack.mitre.org/techniques/T1546/011/"
66
67
68
69[rule.threat.tactic]
70id = "TA0003"
71name = "Persistence"
72reference = "https://attack.mitre.org/tactics/TA0003/"
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1546"
77name = "Event Triggered Execution"
78reference = "https://attack.mitre.org/techniques/T1546/"
79[[rule.threat.technique.subtechnique]]
80id = "T1546.011"
81name = "Application Shimming"
82reference = "https://attack.mitre.org/techniques/T1546/011/"
83
84
85
86[rule.threat.tactic]
87id = "TA0004"
88name = "Privilege Escalation"
89reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Execution via MSSQL xp_cmdshell Stored Procedure
- Persistence via TelemetryController Scheduled Task Hijack
- Persistence via WMI Event Subscription
- User Account Creation
- New ActiveSyncAllowedDeviceID Added via PowerShell