Potential Application Shimming via Sdbinst
This brief covers the abuse of application shimming in Windows via `sdbinst.exe` to achieve persistence and privilege escalation by executing arbitrary code within legitimate processes.
Application shimming is a Windows mechanism intended for backward compatibility, allowing older software to run on newer operating systems. Attackers abuse this functionality by using the sdbinst.exe utility to create application compatibility databases (SDB files) that inject malicious code into legitimate processes. This allows for persistent code execution and potential privilege escalation. This technique has been observed across various Windows environments, with detection focusing on unusual command-line arguments used with sdbinst.exe. The rule Potential Application Shimming via Sdbinst detects suspicious invocations of sdbinst.exe by filtering out benign arguments, flagging potential misuse for further investigation and remediation, without relying on specific threat actor attribution.
Attack Chain
- Attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
- The attacker executes
sdbinst.exewith malicious command-line arguments to install a custom application compatibility database (.sdb file). - The .sdb file is crafted to modify the behavior of a legitimate application.
- When the targeted application is executed, the shimming mechanism loads the malicious .sdb file.
- The malicious code within the .sdb file is injected into the application's process.
- The injected code executes, allowing the attacker to perform actions such as installing malware, establishing persistence, or escalating privileges.
- The attacker maintains persistence by ensuring the shimming mechanism continues to load the malicious .sdb file on subsequent application launches.
Impact
Successful exploitation of application shimming allows attackers to gain persistent access to a system and execute arbitrary code with the privileges of the targeted application. This can lead to data theft, system compromise, and further lateral movement within the network. While a precise victim count isn't specified in the source, the technique's stealthy nature makes it highly effective for long-term compromise. The impact ranges from minor data breaches to complete system takeover depending on the permissions of the shimed application.
Recommendation
- Deploy the Sigma rule "Potential Application Shimming via Sdbinst" to your SIEM to detect suspicious
sdbinst.exeexecutions (see therulessection). - Monitor process execution logs for
sdbinst.exeinvocations and investigate any instances where the command-line arguments do not include-m,-bg, or-mm(see therulessection and the rule description). - Implement file integrity monitoring for application compatibility databases (.sdb files) to detect unauthorized modifications or additions (reference file_event category in the Sigma rules).
- Review and audit existing application shims for any signs of compromise or unauthorized modifications (reference registry_set category in the Sigma rules, targeting the
AppCompatFlagsregistry key).
Detection coverage 3
Potential Application Shimming via Sdbinst
mediumDetects suspicious invocations of sdbinst.exe used to create application shims for persistence and privilege escalation.
Application Shimming - File Creation
lowDetects the creation of .sdb files, potentially indicating application shimming activity.
Application Shimming - Registry Modification
lowDetects modifications to the AppCompatFlags registry key, which can indicate application shimming activity.
Detection queries are available on the platform. Get full rules →