Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Sigma rule (View on GitHub)
1title: Suspicious Shim Database Patching Activity
2id: bf344fea-d947-4ef4-9192-34d008315d3a
3status: test
4description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
5references:
6 - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
7 - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-08-01
10modified: 2023-12-06
11tags:
12 - attack.persistence
13 - attack.t1546.011
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
20 TargetObject|endswith:
21 # Note: add other application to increase coverage
22 - '\csrss.exe'
23 - '\dllhost.exe'
24 - '\explorer.exe'
25 - '\RuntimeBroker.exe'
26 - '\services.exe'
27 - '\sihost.exe'
28 - '\svchost.exe'
29 - '\taskhostw.exe'
30 - '\winlogon.exe'
31 - '\WmiPrvSe.exe'
32 condition: selection
33falsepositives:
34 - Unknown
35level: high
References
-
In this blog, we take an in-depth technical look at Pillowmint malware samples received from our incident response investigations.
Read More -
In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environ...
Read More
Related rules
- Potential Persistence Via Shim Database In Uncommon Location
- Potential Persistence Via Shim Database Modification
- Potential Shim Database Persistence via Sdbinst.EXE
- Uncommon Extension Shim Database Installation Via Sdbinst.EXE
- Chromium Browser Instance Executed With Custom Extension