Installation of Custom Shim Databases | Elastic Security Solution [8.8]

› › ›

« InstallUtil Process Making Network Connections Installation of Security Support Provider »

Installation of Custom Shim Databasesedit

Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*
logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 101 (version history)

Added (Elastic Stack release): 7.10.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

sequence by process.entity_id with maxspan = 5m [process where
event.type == "start" and not (process.name : "sdbinst.exe" and
process.parent.name : "msiexec.exe")] [registry where event.type in
("creation", "change") and registry.path :
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"]

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/

Rule version historyedit

Version 101 (8.5.0 release)

Updated query, changed from:

sequence by process.entity_id with maxspan = 5m [process where
event.type in ("start", "process_started") and not (process.name :
"sdbinst.exe" and process.parent.name : "msiexec.exe")] [registry
where event.type in ("creation", "change") and registry.path :
"HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"]

Version 4 (8.4.0 release)

Formatting only

Version 3 (7.12.0 release)

Updated query, changed from:

sequence by process.entity_id with maxspan=5m [process where
event.type in ("start", "process_started") and not (process.name
: "sdbinst.exe" and process.parent.name : "msiexec.exe")] [registry
where event.type in ("creation", "change") and
wildcard(registry.path, "HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb")]

Version 2 (7.11.0 release)

Formatting only

« InstallUtil Process Making Network Connections Installation of Security Support Provider »