{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/application-shimming/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Citrix Workspace"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","application-shimming","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix"],"content_html":"\u003cp\u003eApplication shimming is a compatibility mechanism in Windows that allows older applications to run on newer operating systems. However, attackers can abuse this functionality to gain persistence and execute arbitrary code in the context of legitimate Windows processes. This is achieved by using the \u003ccode\u003esdbinst.exe\u003c/code\u003e utility to install malicious application compatibility databases (.sdb files). These databases can then be used to inject malicious code into targeted applications. The detection rule focuses on identifying suspicious invocations of \u003ccode\u003esdbinst.exe\u003c/code\u003e with arguments that do not include benign flags, indicating potential misuse of the application shimming mechanism. This technique is stealthy because it allows attackers to execute code within trusted processes, making it harder to detect.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or creates a malicious .sdb file containing code to be injected.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003esdbinst.exe\u003c/code\u003e to install the malicious .sdb file. The command line arguments often lack common benign flags like \u0026ldquo;-m\u0026rdquo;, \u0026ldquo;-bg\u0026rdquo;, or \u0026ldquo;-mm\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the shim database when the targeted application is launched.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the .sdb file is executed in the context of the targeted application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the system, as the shim is loaded each time the targeted application is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration, lateral movement, or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful application shimming attack can allow an attacker to maintain persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. Because the malicious code executes within a trusted process, detection can be challenging, and the attacker can potentially bypass security controls. While the number of victims is unknown, this technique is particularly effective against organizations that rely on specific applications, as the attacker can target those applications for persistence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Application Shimming via Sdbinst\u0026rdquo; to your SIEM to detect suspicious invocations of \u003ccode\u003esdbinst.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments of \u003ccode\u003esdbinst.exe\u003c/code\u003e executions, which is required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate and remove any unauthorized or suspicious application compatibility databases (.sdb files) found on systems.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for \u003ccode\u003esdbinst.exe\u003c/code\u003e executions across the network to detect and respond to future attempts at application shimming.\u003c/li\u003e\n\u003cli\u003eRegularly review and update the list of exceptions to ensure that only verified and necessary exclusions are maintained to avoid overlooking genuine threats.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-app-shimming/","summary":"Attackers abuse the Application Shim functionality in Windows by using `sdbinst.exe` with malicious arguments to achieve persistence and execute arbitrary code within legitimate Windows processes.","title":"Potential Application Shimming via Sdbinst","url":"https://feed.craftedsignal.io/briefs/2024-01-app-shimming/"}],"language":"en","title":"CraftedSignal Threat Feed — Application-Shimming","version":"https://jsonfeed.org/version/1.1"}