security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules/windows/persistence_app_compat_shim.toml
T
Justin Ibarra aff7f37b92 [Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331) 
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2023-12-14 15:04:08 -07:00

57 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/09/02"
integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/13"
[rule]
author = ["Elastic"]
description = """
Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been
abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Installation of Custom Shim Databases"
risk_score = 47
rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
registry where host.os.type == "windows" and event.type in ("creation", "change") and
registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb" and
not process.executable :
("?:\\Program Files (x86)\\DesktopCentral_Agent\\swrepository\\1\\swuploads\\SAP-SLC\\SAPSetupSLC02_14-80001954\\Setup\\NwSapSetup.exe",
"?:\\$WINDOWS.~BT\\Sources\\SetupPlatform.exe",
"?:\\Program Files (x86)\\SAP\\SAPsetup\\setup\\NwSapSetup.exe",
"?:\\Program Files (x86)\\SAP\\SapSetup\\OnRebootSvc\\NWSAPSetupOnRebootInstSvc.exe",
"?:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Security for Windows Server\\kavfs.exe")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.011"
name = "Application Shimming"
reference = "https://attack.mitre.org/techniques/T1546/011/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink