Potential Shim Database Persistence via Sdbinst.EXE

Original Source: [Sigma source]

Title: Potential Shim Database Persistence via Sdbinst.EXE
Status: test
Description:Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
References:
-https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
Author: Markus Neis
Date: 2019-01-16
modified:2023-12-06
Tags:

-'attack.persistence'
-'attack.privilege-escalation'
-'attack.t1546.011'

Logsource:

category: process_creation
product: windows

Detection:
selection_img:
Image|endswith:'\sdbinst.exe' OriginalFileName:'sdbinst.exe' selection_cli:
CommandLine|contains: '.sdb'
filter_optional_iis:
ParentImage|endswith: '\msiexec.exe'
CommandLine|contains:
-':\Program Files (x86)\IIS Express\iisexpressshim.sdb'
-':\Program Files\IIS Express\iisexpressshim.sdb'

condition:all of selection_* and not 1 of filter_optional_*
Falsepositives:
-Unknown
Level: medium

Sign Up to Personalize and Manage Your Detection

Potential Shim Database Persistence via Sdbinst.EXE