← Back to Explore
sigmahighHunting
Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Detection Query
selection:
TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\
TargetObject|endswith:
- \csrss.exe
- \dllhost.exe
- \explorer.exe
- \RuntimeBroker.exe
- \services.exe
- \sihost.exe
- \svchost.exe
- \taskhostw.exe
- \winlogon.exe
- \WmiPrvSe.exe
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-08-01
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.t1546.011
Raw Content
title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
TargetObject|endswith:
# Note: add other application to increase coverage
- '\csrss.exe'
- '\dllhost.exe'
- '\explorer.exe'
- '\RuntimeBroker.exe'
- '\services.exe'
- '\sihost.exe'
- '\svchost.exe'
- '\taskhostw.exe'
- '\winlogon.exe'
- '\WmiPrvSe.exe'
condition: selection
falsepositives:
- Unknown
level: high