New Custom Shim Database Created
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
Sigma rule (View on GitHub)
1title: New Custom Shim Database Created
2id: ee63c85c-6d51-4d12-ad09-04e25877a947
3status: test
4description: |
5 Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
6 The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
9 - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
10 - https://liberty-shell.com/sec/2020/02/25/shim-persistence/
11 - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
12author: frack113, Nasreddine Bencherchali (Nextron Systems)
13date: 2021-12-29
14modified: 2023-12-06
15tags:
16 - attack.persistence
17 - attack.t1547.009
18logsource:
19 product: windows
20 category: file_event
21detection:
22 selection:
23 TargetFilename|contains:
24 - ':\Windows\apppatch\Custom\'
25 - ':\Windows\apppatch\CustomSDB\'
26 condition: selection
27falsepositives:
28 - Legitimate custom SHIM installations will also trigger this rule
29level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environ...
Read More -
Checkout SlayerLabs.com! Networks Engineered to Exploit. - Windows/UNIX - Domains/Subnets - Initial/Post/Lateral - Low Cost VPN Ranges - Application Shimming This’ll be a quick post on the Windows...
Read More -
Microsoft provides Shims to developers mainly for backward compatibility, but malware can take advantage of shims to target an executable for both persistence and injection. As the Windows operating system evolves from version to version, changes to the implementation of some functions may affect applications that depend on them. Because of the nature of software, modifying the function again to resolve this compatibility issue could break additional applications or require Windows to remain the same regardless of the improvement that the alternative implementation could offer. Using the Shim Infrastructure, programmers can target a specific application fix but only for a particular application (and typically, for particular versions of that application), with these fixes housed outside the core Windows functions and maintained separately. The Shim Infrastructure implements a form of application programming interface (API) hooking: specifically, it leverages the nature of linking to redirect API calls from Windows itself to alternative code (the shim). from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/dd837644(v=ws.10) So, shims are essentially a way of hooking into APIs and targeting specific executables: Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes and malware can take advantage of shims to target an executable for both persistence and injection. </p> How can be created a shim? Microsoft allows anyone to create and install Shim database (sdb) files. These database files contain the specific details on how Windows should manipulate (in other words ‘shim’) a target program with predefined ‘Fixes’. Microsoft provides also a free tool called the Application Compatibility Administrator which allows users to create and apply specific fixes such as ‘DisableNX’,‘ModifyShellLinkPath’,‘VirtualRegistry’,‘DisableAdvancedPCClientHardening’, ‘ForceAdminAccess’,‘InjectDll’, ‘DisableSeh’,‘ShellExecuteXP’ and many others. After, the Application Compatibility Toolkit can be used to create and install a shim by guiding the user through a simple wizard. The installer will create a GUID, copy the sdb file in to %SystemRoot%\AppPatch\Custom\<GUID>.sdb then add a registry key using an internal database namein the format of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\<GUID>.sdbandHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\<GUID>.sdb Obviously if a user/malware has administrative access,they could simply add the keys to the registry directly. After the sdb file installation is complete all processes launched after that point will be subjected to the file matching rules of this shim database. </p> How shim cache can be useful for a malware? Nearly every process is vulnerable to shim injection and all modern Windows OS versions support shims and natively ship with the auto-elevated shim database installer sdbinst.exe. Custom fixes can be defined in the form of a user supplied DLL file, furthermore fixes are not considered executable even though they can contain shellcode. The shim engine (shimeng.dll) will not shim certain hard coded modules such as: NT Symbolic Debugger (NTSD), WinDbg or Software License Service (slsvc.exe) and it will intercept GetProcAddress() in the event an application attempts to dynamically call a function that the shim engine has manipulated. </p> How analyze a shim database? There are a few existing tools for analyzing sdb files, one of my favorites is python-sdb, a kit of python parsers for Application Compatibility Shim Databases. Examples sdb_dump_raw.py This script dumps all elements of the shim database format, without resolving references. $python sdb_dump_raw.py example.sdb <INDEXES> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x6001</INDEX_KEY> <INDEX_BITS type='hex'>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e54534f484356538e0400002e54534f484356538e040000</INDEX_BITS> </INDEX> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x4016</INDEX_KEY> <INDEX_FLAGS type='integer'>0x1</INDEX_FLAGS> <INDEX_BITS type='hex'>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</INDEX_BITS> </INDEX> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x600b</INDEX_KEY> <INDEX_FLAGS type='integer'>0x1</INDEX_FLAGS> <INDEX_BITS type='hex'>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</INDEX_BITS> </INDEX> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x6020</INDEX_KEY> <INDEX_FLAGS type='integer'>0x1</INDEX_FLAGS> <INDEX_BITS type='hex'>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</INDEX_BITS> </INDEX> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x9004</INDEX_KEY> <INDEX_FLAGS type='integer'>0x1</INDEX_FLAGS> <INDEX_BITS type='hex'>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000284712e0020fce418e040000</INDEX_BITS> </INDEX> </INDEXES> <DATABASE> <OS_PLATFORM type='integer'>0x1</OS_PLATFORM> <NAME type='stringref'>0x6</NAME> <DATABASE_ID type='guid'>XXXXXXX-XX-XXXX-XXXX-XXXX...</DATABASE_ID> <LIBRARY> <SHIM> <NAME type='stringref'>0x30</NAME> <DLLFILE type='stringref'>0x52</DLLFILE> </SHIM> </LIBRARY> <EXE> <NAME type='stringref'>0x7e</NAME> <APP_NAME type='stringref'>0x9c</APP_NAME> <EXE_ID type='hex'>YYYYY-YYY-YYY-YYYYY...</EXE_ID> <MATCHING_FILE> <NAME type='stringref'>0xbe</NAME> </MATCHING_FILE> <SHIM_REF> <NAME type='stringref'>0x30</NAME> <SHIM_TAGID type='integer'>0x47c</SHIM_TAGID> </SHIM_REF> </EXE> </DATABASE> <STRINGTABLE> <STRINGTABLE_ITEM type='string'>XXXengine_Database</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>XXXengine_Shim</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>Custom\xxx.dll</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>calc.exe</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>XXXengine_Apps</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>*</STRINGTABLE_ITEM> </STRINGTABLE> sdb_dump_database.py This script dumps the DATABASE element of a shim database, and resolves value references. $python sdb_dump_database.py example.sdb <DATABASE> <OS_PLATFORM type='integer'>0x1</OS_PLATFORM> <NAME type='stringref'>XXXengine_Database</NAME> <DATABASE_ID type='guid'>XXXXX-XXX-XXX-XX...</DATABASE_ID> <LIBRARY> <SHIM> <NAME type='stringref'>XXXengine_Shim</NAME> <DLLFILE type='stringref'>Custom\xxx.dll</DLLFILE> </SHIM> </LIBRARY> <EXE> <NAME type='stringref'>calc.exe</NAME> <APP_NAME type='stringref'>XXXengine_Apps</APP_NAME> <EXE_ID type='hex'>YYYYY-YYY-YYY-YYYYY...</EXE_ID> <MATCHING_FILE> <NAME type='stringref'>*</NAME> </MATCHING_FILE> <SHIM_REF> <NAME type='stringref'>XXXengine_Shim</NAME> <SHIM_TAGID type='integer'>0x47c</SHIM_TAGID> </SHIM_REF> </EXE> </DATABASE> sdb_dump_shims.py This script dumps the DATABASE element of a shim database, resolves value references, and substitutes complete shim definitions for SHIM_REF elements. <DATABASE> <OS_PLATFORM type='integer'>0x1</OS_PLATFORM> <NAME type='stringref'>XXXengine_Database</NAME> <DATABASE_ID type='guid'>XXXXXXX-XXXX-XXX-XXX-XX...</DATABASE_ID> <LIBRARY> <SHIM> <NAME type='stringref'>XXXengine_Shim</NAME> <DLLFILE type='stringref'>Custom\xxx.dll</DLLFILE> </SHIM> </LIBRARY> <EXE> <NAME type='stringref'>calc.exe</NAME> <APP_NAME type='stringref'>XXXengine_Apps</APP_NAME> <EXE_ID type='hex'>YYYYY-YYY-YYY-YYYYY...</EXE_ID> <MATCHING_FILE> <NAME type='stringref'>*</NAME> </MATCHING_FILE> <SHIM> <!-- SHIM_REF name:'XXXengine_Shim' offset:0x47c --> <NAME type='stringref'>XXXengine_Shim</NAME> <DLLFILE type='stringref'>Custom\xxx.dll</DLLFILE> </SHIM> </EXE> </DATABASE> Another useful tool is the Windows Shim Database (SDB) Parser by TZWorks. </p> References and additional readings Understanding Shims | Microsoft Docs Microsoft Application Compatibility Toolkit python-sdb on GitHub Windows Shim Database (SDB) Parser
Read More
Related rules
- Creation Exe for Service with Unquoted Path
- Suspicious desktop.ini Action
- Windows Network Access Suspicious desktop.ini Action
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group