ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
Sigma rule (View on GitHub)
1title: ShimCache Flush
2id: b0524451-19af-4efa-a46f-562a977f792e
3status: stable
4description: Detects actions that clear the local ShimCache and remove forensic evidence
5references:
6 - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
7author: Florian Roth (Nextron Systems)
8date: 2021/02/01
9tags:
10 - attack.defense_evasion
11 - attack.t1112
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection1a:
17 CommandLine|contains|all:
18 - 'rundll32'
19 - 'apphelp.dll'
20 selection1b:
21 CommandLine|contains:
22 - 'ShimFlushCache'
23 - '#250'
24 selection2a:
25 CommandLine|contains|all:
26 - 'rundll32'
27 - 'kernel32.dll'
28 selection2b:
29 CommandLine|contains:
30 - 'BaseFlushAppcompatCache'
31 - '#46'
32 condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
33fields:
34 - Image
35 - CommandLine
36 - ParentCommandLine
37falsepositives:
38 - Unknown
39level: high
References
Related rules
- Removal of Potential COM Hijacking Registry Keys
- Terminal Server Client Connection History Cleared - Registry
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- NetNTLM Downgrade Attack
- Enable WDigest using PowerShell (ps_module)