Potential Persistence Via Shim Database In Uncommon Location

calendar Aug 17, 2023 · attack.persistence attack.t1546.011  ·
Share on: linkedin copy

Detects the installation of a new shim database where the file is located in a non-default location

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Shim Database In Uncommon Location
 2id: 6b6976a3-b0e6-4723-ac24-ae38a737af41
 3status: experimental
 4description: Detects the installation of a new shim database where the file is located in a non-default location
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
 7    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
 8    - https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/08/01
11modified: 2023/08/17
12tags:
13    - attack.persistence
14    - attack.t1546.011
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|contains|all:
21            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
22            - '\DatabasePath'
23    filter_main_known_locations:
24        Details|contains: ':\Windows\AppPatch\Custom'
25    condition: selection and not 1 of filter_main_*
26falsepositives:
27    - Unknown
28level: high

References

  • To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence | Mandiant

    In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environ...


    Read More

  • Process Injection and Persistence using Application Shimming

    Microsoft provides Shims to developers mainly for backward compatibility, but malware can take advantage of shims to target an executable for both persistence and injection. As the Windows operating system evolves from version to version, changes to the implementation of some functions may affect applications that depend on them. Because of the nature of software, modifying the function again to resolve this compatibility issue could break additional applications or require Windows to remain the same regardless of the improvement that the alternative implementation could offer. Using the Shim Infrastructure, programmers can target a specific application fix but only for a particular application (and typically, for particular versions of that application), with these fixes housed outside the core Windows functions and maintained separately. The Shim Infrastructure implements a form of application programming interface (API) hooking: specifically, it leverages the nature of linking to redirect API calls from Windows itself to alternative code (the shim). from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/dd837644(v=ws.10) So, shims are essentially a way of hooking into APIs and targeting specific executables: Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes and malware can take advantage of shims to target an executable for both persistence and injection. </p> How can be created a shim? Microsoft allows anyone to create and install Shim database (sdb) files. These database files contain the specific details on how Windows should manipulate (in other words ‘shim’) a target program with predefined ‘Fixes’. Microsoft provides also a free tool called the Application Compatibility Administrator which allows users to create and apply specific fixes such as ‘DisableNX’,‘ModifyShellLinkPath’,‘VirtualRegistry’,‘DisableAdvancedPCClientHardening’, ‘ForceAdminAccess’,‘InjectDll’, ‘DisableSeh’,‘ShellExecuteXP’ and many others. After, the Application Compatibility Toolkit can be used to create and install a shim by guiding the user through a simple wizard. The installer will create a GUID, copy the sdb file in to %SystemRoot%\AppPatch\Custom\<GUID>.sdb then add a registry key using an internal database namein the format of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\<GUID>.sdbandHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\<GUID>.sdb Obviously if a user/malware has administrative access,they could simply add the keys to the registry directly. After the sdb file installation is complete all processes launched after that point will be subjected to the file matching rules of this shim database. </p> How shim cache can be useful for a malware? Nearly every process is vulnerable to shim injection and all modern Windows OS versions support shims and natively ship with the auto-elevated shim database installer sdbinst.exe. Custom fixes can be defined in the form of a user supplied DLL file, furthermore fixes are not considered executable even though they can contain shellcode. The shim engine (shimeng.dll) will not shim certain hard coded modules such as: NT Symbolic Debugger (NTSD), WinDbg or Software License Service (slsvc.exe) and it will intercept GetProcAddress() in the event an application attempts to dynamically call a function that the shim engine has manipulated. </p> How analyze a shim database? There are a few existing tools for analyzing sdb files, one of my favorites is python-sdb, a kit of python parsers for Application Compatibility Shim Databases. Examples sdb_dump_raw.py This script dumps all elements of the shim database format, without resolving references. $python sdb_dump_raw.py example.sdb <INDEXES> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x6001</INDEX_KEY> <INDEX_BITS type='hex'>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e54534f484356538e0400002e54534f484356538e040000</INDEX_BITS> </INDEX> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x4016</INDEX_KEY> <INDEX_FLAGS type='integer'>0x1</INDEX_FLAGS> <INDEX_BITS type='hex'>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</INDEX_BITS> </INDEX> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x600b</INDEX_KEY> <INDEX_FLAGS type='integer'>0x1</INDEX_FLAGS> <INDEX_BITS type='hex'>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</INDEX_BITS> </INDEX> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x6020</INDEX_KEY> <INDEX_FLAGS type='integer'>0x1</INDEX_FLAGS> <INDEX_BITS type='hex'>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</INDEX_BITS> </INDEX> <INDEX> <INDEX_TAG type='integer'>0x7007</INDEX_TAG> <INDEX_KEY type='integer'>0x9004</INDEX_KEY> <INDEX_FLAGS type='integer'>0x1</INDEX_FLAGS> <INDEX_BITS type='hex'>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000284712e0020fce418e040000</INDEX_BITS> </INDEX> </INDEXES> <DATABASE> <OS_PLATFORM type='integer'>0x1</OS_PLATFORM> <NAME type='stringref'>0x6</NAME> <DATABASE_ID type='guid'>XXXXXXX-XX-XXXX-XXXX-XXXX...</DATABASE_ID> <LIBRARY> <SHIM> <NAME type='stringref'>0x30</NAME> <DLLFILE type='stringref'>0x52</DLLFILE> </SHIM> </LIBRARY> <EXE> <NAME type='stringref'>0x7e</NAME> <APP_NAME type='stringref'>0x9c</APP_NAME> <EXE_ID type='hex'>YYYYY-YYY-YYY-YYYYY...</EXE_ID> <MATCHING_FILE> <NAME type='stringref'>0xbe</NAME> </MATCHING_FILE> <SHIM_REF> <NAME type='stringref'>0x30</NAME> <SHIM_TAGID type='integer'>0x47c</SHIM_TAGID> </SHIM_REF> </EXE> </DATABASE> <STRINGTABLE> <STRINGTABLE_ITEM type='string'>XXXengine_Database</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>XXXengine_Shim</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>Custom\xxx.dll</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>calc.exe</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>XXXengine_Apps</STRINGTABLE_ITEM> <STRINGTABLE_ITEM type='string'>*</STRINGTABLE_ITEM> </STRINGTABLE> sdb_dump_database.py This script dumps the DATABASE element of a shim database, and resolves value references. $python sdb_dump_database.py example.sdb <DATABASE> <OS_PLATFORM type='integer'>0x1</OS_PLATFORM> <NAME type='stringref'>XXXengine_Database</NAME> <DATABASE_ID type='guid'>XXXXX-XXX-XXX-XX...</DATABASE_ID> <LIBRARY> <SHIM> <NAME type='stringref'>XXXengine_Shim</NAME> <DLLFILE type='stringref'>Custom\xxx.dll</DLLFILE> </SHIM> </LIBRARY> <EXE> <NAME type='stringref'>calc.exe</NAME> <APP_NAME type='stringref'>XXXengine_Apps</APP_NAME> <EXE_ID type='hex'>YYYYY-YYY-YYY-YYYYY...</EXE_ID> <MATCHING_FILE> <NAME type='stringref'>*</NAME> </MATCHING_FILE> <SHIM_REF> <NAME type='stringref'>XXXengine_Shim</NAME> <SHIM_TAGID type='integer'>0x47c</SHIM_TAGID> </SHIM_REF> </EXE> </DATABASE> sdb_dump_shims.py This script dumps the DATABASE element of a shim database, resolves value references, and substitutes complete shim definitions for SHIM_REF elements. <DATABASE> <OS_PLATFORM type='integer'>0x1</OS_PLATFORM> <NAME type='stringref'>XXXengine_Database</NAME> <DATABASE_ID type='guid'>XXXXXXX-XXXX-XXX-XXX-XX...</DATABASE_ID> <LIBRARY> <SHIM> <NAME type='stringref'>XXXengine_Shim</NAME> <DLLFILE type='stringref'>Custom\xxx.dll</DLLFILE> </SHIM> </LIBRARY> <EXE> <NAME type='stringref'>calc.exe</NAME> <APP_NAME type='stringref'>XXXengine_Apps</APP_NAME> <EXE_ID type='hex'>YYYYY-YYY-YYY-YYYYY...</EXE_ID> <MATCHING_FILE> <NAME type='stringref'>*</NAME> </MATCHING_FILE> <SHIM> <!-- SHIM_REF name:'XXXengine_Shim' offset:0x47c --> <NAME type='stringref'>XXXengine_Shim</NAME> <DLLFILE type='stringref'>Custom\xxx.dll</DLLFILE> </SHIM> </EXE> </DATABASE> Another useful tool is the Windows Shim Database (SDB) Parser by TZWorks. </p> References and additional readings Understanding Shims | Microsoft Docs Microsoft Application Compatibility Toolkit python-sdb on GitHub Windows Shim Database (SDB) Parser


    Read More

  • %PDF-1.5 %µµµµ 1 0 obj >> endobj 2 0 obj endobj 3 0 obj /ExtGState /Font /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 720 540] /Contents 4 0 R/Group /Tabs/S/StructParents 0>> endobj 4 ...


    Read More

Related rules

to-top