Techniques
Sample rules
Shim Database File Creation
- source: splunk
- technicques:
- T1546.011
- T1546
Description
This search looks for shim database files being written to default directories. The sdbinst.exe application is used to install shim database files (.sdb). According to Microsoft, a shim is a small library that transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.
Detection logic
| tstats `security_content_summariesonly` count values(Filesystem.action) values(Filesystem.file_hash) as file_hash values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path=*Windows\\AppPatch\\Custom* by Filesystem.file_name Filesystem.dest
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
|`drop_dm_object_name(Filesystem)`
| `shim_database_file_creation_filter`