IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« InstallUtil Process Making Network Connections Interactive Terminal Spawned via Perl »

› › ›

Installation of Custom Shim Databases

edit

Installation of Custom Shim Databases

edit

Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*

Severity: medium

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit

sequence by process.entity_id with maxspan=5m [process where
event.type in ("start", "process_started") and not (process.name
: "sdbinst.exe" and process.parent.name : "msiexec.exe")] [registry
where event.type in ("creation", "change") and
wildcard(registry.path, "HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb")]

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Application Shimming
- ID: T1138
- Reference URL: https://attack.mitre.org/techniques/T1138/

« InstallUtil Process Making Network Connections Interactive Terminal Spawned via Perl »