Kaspersky Security for Windows Server — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/kaspersky-security-for-windows-server/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 10:00:00 +0000Detection of Custom Shim Database Installation for Persistencehttps://feed.craftedsignal.io/briefs/2024-01-09-app-compat-shim-persistence/Tue, 09 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-app-compat-shim-persistence/Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.Attackers can exploit the Windows Application Compatibility Shim functionality to maintain persistence and execute arbitrary code within legitimate Windows processes. This is achieved by installing custom shim databases, which are designed to ensure older applications run smoothly on newer operating systems. By manipulating these databases, attackers can stealthily inject malicious code into trusted processes. The rule detects changes in specific registry paths associated with the installation of these databases, excluding known legitimate processes to minimize false positives. This technique allows for the execution of malicious code without directly modifying the target application’s executable, making it difficult to detect with traditional methods.

Attack Chain

  1. The attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker modifies the registry to create a new entry for a custom shim database. The registry path targeted is typically under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\.
  3. The attacker writes a malicious .sdb file containing the custom shim database to a location on disk.
  4. The registry entry created points to the malicious .sdb file.
  5. When a targeted application is launched, Windows checks the AppCompatFlags registry keys.
  6. The system loads the malicious shim database specified in the registry.
  7. The malicious code within the shim database is executed in the context of the targeted application.
  8. The attacker achieves persistence, as the malicious shim database is loaded every time the targeted application is run.

Impact

Successful exploitation allows attackers to maintain persistent access to the system, even after reboots or software updates. The injected code runs within the context of a legitimate process, which can evade detection by traditional security tools. This can lead to data theft, system compromise, or further malicious activities, such as lateral movement within the network. The use of application shimming for persistence affects systems running Windows and can impact organizations of any size or sector.

Recommendation

  • Deploy the Sigma rule Detect Custom Shim Database Installation to your SIEM to identify suspicious registry modifications related to application shimming.
  • Enable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function.
  • Investigate any alerts generated by the Sigma rule, focusing on processes that are not in the exclusion list.
  • Block or quarantine any identified malicious .sdb files to prevent further execution.
  • Review and update the exclusion list in the Sigma rule with any newly identified legitimate applications that use shim databases, reducing false positives.
]]>mediumadvisorypersistenceapp-compatshimwindows