From fc091fe3d7bfee7b91fc2a1bb4bf05a5492bd25f Mon Sep 17 00:00:00 2001
From: yt0ng <38029682+yt0ng@users.noreply.github.com>
Date: Sun, 5 Aug 2018 14:00:22 +0200
Subject: [PATCH] Added ATTCK Mapping

---
 rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml
index c5e79d6ba..fe216e591 100644
--- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml
+++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml
@@ -3,6 +3,9 @@ status: experimental
 description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\*
 references:
     - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+tags:
+    - attack.persistence
+    - attack.T1138
 author: Markus Neis
 date: 2018/03/08
 logsource: