Uncommon Extension Shim Database Installation Via Sdbinst.EXE

 1title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE
 2id: 18ee686c-38a3-4f65-9f44-48a077141f42
 3related:
 4    - id: 517490a7-115a-48c6-8862-1a481504d5a8
 5      type: derived
 6status: test
 7description: |
 8    Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
 9    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims    
10references:
11    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
12    - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-08-01
15modified: 2024-01-10
16tags:
17    - attack.persistence
18    - attack.privilege-escalation
19    - attack.t1546.011
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        - Image|endswith: '\sdbinst.exe'
26        - OriginalFileName: 'sdbinst.exe'
27    filter_main_legit_ext:
28        CommandLine|contains: '.sdb'
29    filter_main_legit_extensions:
30        # ParentImage|endswith: ':\Windows\System32\svchost.exe'
31        - CommandLine|endswith:
32              - ' -c'
33              - ' -f'
34              - ' -mm'
35              - ' -t'
36        - CommandLine|contains: ' -m -bg'
37    filter_main_null:
38        CommandLine: null
39    filter_main_empty:
40        CommandLine: ''
41    condition: selection and not 1 of filter_main_*
42falsepositives:
43    - Unknown
44level: medium

References

• To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence | Google Cloud Blog

  

  In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environ...

  
  Read More

• Misc-Research/Other/Undocumented-Flags-Sdbinst.md at 8ee690e43a379cbce8c9d61107442c36bd9be3d3 · nasbench/Misc-Research

  

  A collection of tools, scripts and personal research - nasbench/Misc-Research

  
  Read More

Related rules

• Potential Shim Database Persistence via Sdbinst.EXE
• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Activity From Anonymous IP Address