Query Details
Applicationshimming
Query
name: Privilege Escalation, Persistence T1546.011 Application shimming via sdbinst.exe
description: Detects the usage of the utility sdbinst.exe that can set registry key for application shimming.
references: https://attack.mitre.org/techniques/T1546/011/, https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
tags: privilege_escalation, persistence, t1546.011
search_query:
(DeviceProcessEvents
| where ProcessVersionInfoInternalFileName =~ "sdbinst.exe"
| where not(ProcessCommandLine has_all ("-m","-bg")) | where ProcessCommandLine != @"""sdbinst.exe"" -mm"
| where ProcessCommandLine !contains "iisexpressshim.sdb")
Explanation
This query is searching for instances of the utility sdbinst.exe being used to set registry keys for application shimming. It excludes instances where the process command line includes certain parameters or the file being shimmed is iisexpressshim.sdb. The query is looking for potential privilege escalation and persistence techniques.
Details
Ali Hussein
Released: January 22, 2024
Tables
DeviceProcessEvents
Keywords
Devices,Intune,User
Operators
| whereProcessVersionInfoInternalFileName=~"sdbinst.exe"nothas_all("-m","-bg")!=@"""sdbinst.exe"" -mm"!contains