Sigma rules for CVE-2014-8399
6 rules · scoped to cve · back to CVE-2014-8399
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
TargetObject|endswith:
# Note: add other application to increase coverage
- '\csrss.exe'
- '\dllhost.exe'
- '\explorer.exe'
- '\RuntimeBroker.exe'
- '\services.exe'
- '\sihost.exe'
- '\svchost.exe'
- '\taskhostw.exe'
- '\winlogon.exe'
- '\WmiPrvSe.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential Persistence Via Shim Database In Uncommon Location
id: 6b6976a3-b0e6-4723-ac24-ae38a737af41
status: test
description: Detects the installation of a new shim database where the file is located in a non-default location
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
- https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\DatabasePath'
filter_main_known_locations:
Details|contains: ':\Windows\AppPatch\Custom'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: New Custom Shim Database Created
id: ee63c85c-6d51-4d12-ad09-04e25877a947
status: test
description: |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
- https://liberty-shell.com/sec/2020/02/25/shim-persistence/
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-29
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- ':\Windows\apppatch\Custom\'
- ':\Windows\apppatch\CustomSDB\'
condition: selection
falsepositives:
- Legitimate custom SHIM installations will also trigger this rule
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml
title: Potential Shim Database Persistence via Sdbinst.EXE
id: 517490a7-115a-48c6-8862-1a481504d5a8
related:
- id: 18ee686c-38a3-4f65-9f44-48a077141f42
type: similar
status: test
description: |
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
author: Markus Neis
date: 2019-01-16
modified: 2023-12-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sdbinst.exe'
- OriginalFileName: 'sdbinst.exe'
selection_cli:
CommandLine|contains: '.sdb'
filter_optional_iis:
ParentImage|endswith: '\msiexec.exe'
CommandLine|contains:
# Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
- ':\Program Files (x86)\IIS Express\iisexpressshim.sdb'
- ':\Program Files\IIS Express\iisexpressshim.sdb'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE
id: 18ee686c-38a3-4f65-9f44-48a077141f42
related:
- id: 517490a7-115a-48c6-8862-1a481504d5a8
type: derived
status: test
description: |
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2024-01-10
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.011
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\sdbinst.exe'
- OriginalFileName: 'sdbinst.exe'
filter_main_legit_ext:
CommandLine|contains: '.sdb'
filter_main_legit_extensions:
# ParentImage|endswith: ':\Windows\System32\svchost.exe'
- CommandLine|endswith:
- ' -c'
- ' -f'
- ' -mm'
- ' -t'
- CommandLine|contains: ' -m -bg'
filter_main_null:
CommandLine: null
filter_main_empty:
CommandLine: ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Potential Persistence Via Shim Database Modification
id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
status: test
description: |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113
date: 2021-12-30
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
filter_main_empty_string:
Details: ''
filter_main_empty_value:
Details: '(Empty)'
filter_main_null:
Details: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate custom SHIM installations will also trigger this rule
level: medium