ShimCache Flush

calendar Feb 21, 2023 · attack.defense_evasion attack.t1112  ·
Share on: linkedin copy

Detects actions that clear the local ShimCache and remove forensic evidence

Sigma rule (View on GitHub)

 1title: ShimCache Flush
 2id: b0524451-19af-4efa-a46f-562a977f792e
 3status: stable
 4description: Detects actions that clear the local ShimCache and remove forensic evidence
 5references:
 6    - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
 7author: Florian Roth (Nextron Systems)
 8date: 2021/02/01
 9tags:
10    - attack.defense_evasion
11    - attack.t1112
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection1a:
17        CommandLine|contains|all:
18            - 'rundll32'
19            - 'apphelp.dll'
20    selection1b:
21        CommandLine|contains:
22            - 'ShimFlushCache'
23            - '#250'
24    selection2a:
25        CommandLine|contains|all:
26            - 'rundll32'
27            - 'kernel32.dll'
28    selection2b:
29        CommandLine|contains:
30            - 'BaseFlushAppcompatCache'
31            - '#46'
32    condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
33fields:
34    - Image
35    - CommandLine
36    - ParentCommandLine
37falsepositives:
38    - Unknown
39level: high

References

  • Shimcache Flush!

    A cleanup routine that can be performed by threat actors to flush the Shimcache to remove traces of their malicious activities.


    Read More

Related rules

to-top