EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Uncommon Extension Shim Database Installation Via Sdbinst.EXE

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

MITRE ATT&CK

T1546.011
persistenceprivilege-escalation

Detection Query

selection:
  - Image|endswith: \sdbinst.exe
  - OriginalFileName: sdbinst.exe
filter_main_legit_ext:
  CommandLine|contains: .sdb
filter_main_legit_extensions:
  - CommandLine|endswith:
      - " -c"
      - " -f"
      - " -mm"
      - " -t"
  - CommandLine|contains: " -m -bg"
filter_main_null:
  CommandLine: null
filter_main_empty:
  CommandLine: ""
condition: selection and not 1 of filter_main_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-08-01

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.persistenceattack.privilege-escalationattack.t1546.011
Raw Content
title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE
id: 18ee686c-38a3-4f65-9f44-48a077141f42
related:
    - id: 517490a7-115a-48c6-8862-1a481504d5a8
      type: derived
status: test
description: |
    Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
    - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2024-01-10
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\sdbinst.exe'
        - OriginalFileName: 'sdbinst.exe'
    filter_main_legit_ext:
        CommandLine|contains: '.sdb'
    filter_main_legit_extensions:
        # ParentImage|endswith: ':\Windows\System32\svchost.exe'
        - CommandLine|endswith:
              - ' -c'
              - ' -f'
              - ' -mm'
              - ' -t'
        - CommandLine|contains: ' -m -bg'
    filter_main_null:
        CommandLine: null
    filter_main_empty:
        CommandLine: ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium