Potential Persistence Via Shim Database In Uncommon Location

Detects the installation of a new shim database where the file is located in a non-default location

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Shim Database In Uncommon Location
 2id: 6b6976a3-b0e6-4723-ac24-ae38a737af41
 3status: test
 4description: Detects the installation of a new shim database where the file is located in a non-default location
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
 7    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
 8    - https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-08-01
11modified: 2023-08-17
12tags:
13    - attack.persistence
14    - attack.t1546.011
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|contains|all:
21            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
22            - '\DatabasePath'
23    filter_main_known_locations:
24        Details|contains: ':\Windows\AppPatch\Custom'
25    condition: selection and not 1 of filter_main_*
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top