Potential Shim Database Persistence via Sdbinst.EXE

calendar Dec 21, 2023 · attack.persistence attack.privilege_escalation attack.t1546.011  ·
Share on: linkedin copy

Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Sigma rule (View on GitHub)

 1title: Potential Shim Database Persistence via Sdbinst.EXE
 2id: 517490a7-115a-48c6-8862-1a481504d5a8
 3related:
 4    - id: 18ee686c-38a3-4f65-9f44-48a077141f42
 5      type: similar
 6status: test
 7description: |
 8    Detects installation of a new shim using sdbinst.exe.
 9    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims    
10references:
11    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
12author: Markus Neis
13date: 2019/01/16
14modified: 2023/12/06
15tags:
16    - attack.persistence
17    - attack.privilege_escalation
18    - attack.t1546.011
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\sdbinst.exe'
25        - OriginalFileName: 'sdbinst.exe'
26    selection_cli:
27        CommandLine|contains: '.sdb'
28    filter_optional_iis:
29        ParentImage|endswith: '\msiexec.exe'
30        CommandLine|contains:
31            # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
32            - ':\Program Files (x86)\IIS Express\iisexpressshim.sdb'
33            - ':\Program Files\IIS Express\iisexpressshim.sdb'
34    condition: all of selection_* and not 1 of filter_optional_*
35falsepositives:
36    - Unknown
37level: medium

References

Related rules

to-top