From 95f0e151ea61b79f1cd8b5f259010c028937ec1f Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Tue, 12 Nov 2019 16:49:38 -0800
Subject: [PATCH] create simple sdb file (#649)

---
 atomics/T1138/T1138.yaml                  |  30 ++++++++++++++++++++++
 atomics/T1138/bin/T1138CompatDatabase.sdb | Bin 0 -> 1414 bytes
 2 files changed, 30 insertions(+)
 create mode 100644 atomics/T1138/bin/T1138CompatDatabase.sdb

diff --git a/atomics/T1138/T1138.yaml b/atomics/T1138/T1138.yaml
index 443f6455..3a4080aa 100644
--- a/atomics/T1138/T1138.yaml
+++ b/atomics/T1138/T1138.yaml
@@ -24,3 +24,33 @@ atomic_tests:
     command: |
       sdbinst.exe #{file_path}
       sdbinst.exe -u #{file_path}
+
+- name: New shim database files created in the default shim database directory
+  description: |
+    https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
+      Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
+    cleanup_command: |
+      Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
+      Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
+
+- name: Registry key creation and/or modification events for SDB
+  description: |
+    https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
+      New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
+    cleanup_command: |
+      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138"
+      Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138"
diff --git a/atomics/T1138/bin/T1138CompatDatabase.sdb b/atomics/T1138/bin/T1138CompatDatabase.sdb
new file mode 100644
index 0000000000000000000000000000000000000000..04e9e922da2c0072e0b2bc4ae15632d9c402d3ae
GIT binary patch
literal 1414
zcmaJ=OKcKR6uoaiuv8nUwI)qtu(nDY!~#mtm=vT9jcK(}qb9~UrKO)(U;=1q+!$A^
z3`?S>(df#B+xl6Vn8q}^aBW?>aqGsNp8FmQ@)<LEhxg98_uTvL3>p#HunLQ*C9U*R
z!>Q!OS&KRiTU6-%F@ck)?gLKUm<l9j;)xg%Y^5F<bx1~uDh?*cnW0!a=hd4zyG3rd
z8P_LkM4CGJw-PIjXw}hva0kum${`NURjJ=aIVk0{r8g@LZxtQr5Umt<2SxSM3&l~X
z-&{pAXK(3eK;D&SXGb*8`_pE1YwV71LCsrb4%X`6MNzXSE8Tcs?aF{<4lAuWs_PM%
zQ?H=76HT1z=cJ`KE3Mut=WH!UeOc;ls0ysK&is^R1y(v&n6RwCO1*+Gwt0$k6nk*<
z_~chHq&xVm4+4+M@BT<^1bb)24gB@z-nSM1hv~PwLwz4_FAr-5NOBqvfkM9kbm%GI
z9=!;(%baUlFF&t8|B>7rJ$L`s&X-}2WL?|epY*>kCLa}EJpJuinb>QDq{lO0m;MUq
z)^~v(-H#DzbAsL_iCknecL($tC|!o?_c8XO^oFs_orWnu<F$1LXHoV6uTl_Cn4*-R
z9A(I$c`DMR#Cb~Lw?Jtb-3wg6c?}o<SE}*+O*UNE_ZXNsT-a|F(U%dqh?q38GcB=p
z#ExN!vL84r<MYTYU@gJJEBnf$uN>uNSF6}%Wd={TJ>xZUuEQsbnmJmB6Em0KkTxB%
zv<&VFZ9px8&qzQ1uLaE+1u>H_MJR;Z2BkjzAKgp7TGjJ(7uDBLo%15_W6z+Rd=$HJ
Z8kKH`fjsj(o;0SUroKTJ<&=2le*w<^&u;(#

literal 0
HcmV?d00001