Suspicious Shim Database Installation via Sdbinst.EXE

 1title: Suspicious Shim Database Installation via Sdbinst.EXE
 2id: 18ee686c-38a3-4f65-9f44-48a077141f42
 3related:
 4    - id: 517490a7-115a-48c6-8862-1a481504d5a8
 5      type: derived
 6status: test
 7description: |
 8    Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
 9    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims    
10references:
11    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023/08/01
14modified: 2023/11/11
15tags:
16    - attack.persistence
17    - attack.privilege_escalation
18    - attack.t1546.011
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        - Image|endswith: '\sdbinst.exe'
25        - OriginalFileName: 'sdbinst.exe'
26    filter_main_legit_ext:
27        CommandLine|contains: '.sdb'
28    filter_main_svchost1:
29        ParentImage|endswith: ':\Windows\System32\svchost.exe'
30        Image|endswith: ':\Windows\System32\sdbinst.exe'
31        CommandLine|contains: ' -m -bg'
32    filter_main_svchost2:
33        ParentImage|endswith: ':\Windows\System32\svchost.exe'
34        Image|endswith: ':\Windows\System32\sdbinst.exe'
35        CommandLine|endswith: ' -mm'
36    filter_main_null:
37        CommandLine: null
38    filter_main_empty:
39        CommandLine: ''
40    condition: selection and not 1 of filter_main_*
41falsepositives:
42    - Unknown
43level: high