From b65cb5eaca8c7f3582272ecca6442eb7b7bffb5a Mon Sep 17 00:00:00 2001 From: yt0ng <38029682+yt0ng@users.noreply.github.com> Date: Sun, 5 Aug 2018 13:55:04 +0200 Subject: [PATCH 1/3] Possible Shim Database Persistence via sdbinst.exe --- .../sysmon_sdbinst_shim_persistence.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml new file mode 100644 index 000000000..c5e79d6ba --- /dev/null +++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml @@ -0,0 +1,21 @@ +title: Possible Shim Database Persistence via sdbinst.exe +status: experimental +description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* +references: + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +author: Markus Neis +date: 2018/03/08 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + Image: + - '*\sdbinst.exe' + CommandLine: + - '*\AppPatch\*}.sdb*' + condition: selection +falsepositives: + - Unknown +level: high From fc091fe3d7bfee7b91fc2a1bb4bf05a5492bd25f Mon Sep 17 00:00:00 2001 From: yt0ng <38029682+yt0ng@users.noreply.github.com> Date: Sun, 5 Aug 2018 14:00:22 +0200 Subject: [PATCH 2/3] Added ATTCK Mapping --- rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml index c5e79d6ba..fe216e591 100644 --- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml +++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml @@ -3,6 +3,9 @@ status: experimental description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +tags: + - attack.persistence + - attack.T1138 author: Markus Neis date: 2018/03/08 logsource: From 80eaedab8b4affe369ee1c077c75b82db2d36601 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 7 Aug 2018 08:22:11 +0200 Subject: [PATCH 3/3] Fixed tag and date --- rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml index fe216e591..cea5c5ba8 100644 --- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml +++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml @@ -5,9 +5,9 @@ references: - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html tags: - attack.persistence - - attack.T1138 + - attack.t1138 author: Markus Neis -date: 2018/03/08 +date: 2018-08-03 logsource: product: windows service: sysmon