← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Shim Database Patching Activity

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1546.011
Rule sourcerules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml
title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
        TargetObject|endswith:
            # Note: add other application to increase coverage
            - '\csrss.exe'
            - '\dllhost.exe'
            - '\explorer.exe'
            - '\RuntimeBroker.exe'
            - '\services.exe'
            - '\sihost.exe'
            - '\svchost.exe'
            - '\taskhostw.exe'
            - '\winlogon.exe'
            - '\WmiPrvSe.exe'
    condition: selection
falsepositives:
    - Unknown
level: high