Skip to content
Permalink
Browse files

Added several Windows shim database related artifact definitions (#356)

  • Loading branch information...
recvfrom authored and joachimmetz committed Jul 3, 2019
1 parent d7d237a commit 9fdf452785d05e1722a2affca9be3a11a1ece000
Showing with 184 additions and 0 deletions.
  1. +184 −0 data/windows.yaml
@@ -109,6 +109,98 @@ urls:
- 'http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/'
- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ee872121(v=vs.85).aspx'
---
name: WindowsApplicationCompatibilityInstalledShimDatabases
doc: |
Windows Application Compatibility Installed Shim Databases.
drvmain.sdb, frxmain.sdb, msimain.sdb, pcamain.sdb, and sysmain.sdb are
shim database files (SDB files) that are provided by Windows, and contain
many predefined shims that address known application compability issues.
Note that these database files are not signed.
Windows also supports custom shim database. These are typically installed
by the sdbinst.exe utility. Note, that shim database files can also exist
elsewhere in the file system.
Windows application shims provide a way for the operating system to
apply patches to executables before they are run, ultimately providing
a lightweight mechanism for applying hot fixes and making modifications to
ensure compatibility across the various versions of Windows. This
functionality can also be leveraged maliciously to change how certain
programs operate, or to provide capabilities to malware, such as the
ability to bypass UAC, gain persistence by injecting loading into legitimate
processes, or avoid detection by disabling anti-virus software.
sources:
- type: FILE
attributes:
paths:
- '%%environ_windir%%\AppPatch\drvmain.sdb'
- '%%environ_windir%%\AppPatch\frxmain.sdb'
- '%%environ_windir%%\AppPatch\msimain.sdb'
- '%%environ_windir%%\AppPatch\pcamain.sdb'
- '%%environ_windir%%\AppPatch\sysmain.sdb'
- '%%environ_windir%%\AppPatch\AppPatch64\Custom\*'
- '%%environ_windir%%\AppPatch\Custom\*'
- '%%environ_windir%%\AppPatch\Custom\Custom64\*'
- '%%environ_windir%%\AppPatch\CustomSDB\*'
separator: '\'
labels: [Users]
supported_os: [Windows]
urls:
- 'https://attack.mitre.org/techniques/T1138/'
- 'https://countercept.com/blog/hunting-for-application-shim-databases/'
- 'http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf'
- 'https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf'
---
name: WindowsApplicationCompatibilityShimDatabaseMappings
doc: |
Windows Application Compatibility Shim Database Mappings.
Mappings between the Windows Application Compatibility shim database files and
the programs that they apply to.
Windows allows for custom application shims to be installed via the
sdbinst.exe application. For example a mapping for 'notepad.exe':
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
AppCompatFlags\Custom\notepad.exe
Value: {00000000-1111-2222-3333-444444444444}.sdb = 0
Key: AppCompatFlags\InstalledSDB\{00000000-1111-2222-3333-444444444444}
Value: DatabasePath =
"C:\Windows\AppPatch\Custom\{00000000-1111-2222-3333-444444444444}.sdb"
Windows application shims provide a way for the operating system to
apply patches to executables before they are run, ultimately providing
a lightweight mechanism for applying hot fixes and making modifications to
ensure compatibility across the various versions of Windows. This
functionality can also be leveraged maliciously to change how certain
programs operate, or to provide capabilities to malware, such as the
ability to bypass UAC, gain persistence by injecting loading into legitimate
processes, or avoid detection by disabling anti-virus software.
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabaseDescription'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\*', value: 'DatabasePath'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\*', value: '*'}
supported_os: [Windows]
urls:
- 'https://attack.mitre.org/techniques/T1138/'
- 'https://countercept.com/blog/hunting-for-application-shim-databases/'
---
name: WindowsApplicationCompatibilityShims
doc: Windows Application Compatibility Shim Database Files and Application Mappings
sources:
- type: ARTIFACT_GROUP
attributes:
names:
- 'WindowsApplicationCompatibilityInstalledShimDatabases'
- 'WindowsApplicationCompatibilityShimDatabaseMappings'
labels: [System]
supported_os: [Windows]
---
name: WinAppXRT
doc: WinAppXRT DLL loaded by .Net applications when the APPX_PROCESS environment variable is set.
sources:
@@ -331,6 +423,39 @@ urls:
- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694515(v=vs.85).aspx'
- 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms686595(v=vs.85).aspx'
---
name: WindowsCOMProperties
doc: |
Various properties of Windows COM Objects.
These artifacts are meant to highlight properties of COM objects that,
although legitimate, are known to be associated with persistence techniques
or other capabilities that malware can leverage.
ShellFolder\HideOnDesktop, ShellFolder\Attributes (specifically with value
0xf090013d), and InprocServer\LoadWithoutCOM are associated with a technique
to cause iexplore or explorer to load a malicious DLL by registering a COM
object and invoking it through the use of Junction Folders.
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'Attributes'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'Attributes'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\ShellFolder', value: 'HideOnDesktop'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\ShellFolder', value: 'HideOnDesktop'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Classes\Wow6432Node\CLSID\*\InprocServer32', value: 'LoadWithoutCOM'}
supported_os: [Windows]
urls:
- 'https://ired.team/offensive-security/code-execution/forcing-iexplore.exe-to-load-a-malicious-dll-via-com-abuse'
- 'https://labs.nettitude.com/blog/com-and-the-powerthief/'
---
name: WindowsCOMRegisteredTypeLibraries
doc: Windows COM registered type libraries
sources:
@@ -1807,6 +1932,40 @@ urls:
- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html'
- 'https://blogs.technet.microsoft.com/platforms_lync_cloud/2017/05/05/disabling-windows-10-action-center-notifications/'
---
name: WindowsBootConfigurationSettings
doc: |
Windows Boot Configuration Settings.
These Windows Registry values are associated with the Windows Boot
Configuration Settings. Malware, like Cerber (ransomware), is known to
change the Windows Boot Configuration Settings and disable recovery options
like the ability to boot into safe mode.
'bcdedit.exe' can be used to modify the Windows Boot Configuration Settings.
The mappings of registry key to associated bcdedit commands is as
follows:
* 16000009: 'bcdedit.exe /set {default} recoveryenabled <yes|no>'
* 00 gets stored for 'no', 01 gets stored for 'yes'
* 250000e0: 'bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures'
* 01 00 00 00 00 00 00 00 gets stored. Otherwise, the key is not present
The wildcard component of the Windows Registry key is the identifier
associated with the Windows Boot Loader instance on a given machine. This
identifier can be determined by running 'bcdedit.exe /v' and looking at the
'identifier' under the Windows Boot Loader section (on Windows 7 and
Windows 10, '{default}' [used by Cerber] points to this instance).
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\16000009', value: 'Element'}
- {key: 'HKEY_LOCAL_MACHINE\BCD00000000\Objects\*\Elements\250000e0', value: 'Element'}
labels: [System]
supported_os: [Windows]
urls:
- 'https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcd-system-store-settings-for-uefi'
- 'https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html'
---
name: WindowsDisallowedSystemCertificates
doc: |
Windows Disallowed System Certificates
@@ -1841,6 +2000,10 @@ sources:
- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'Hidden'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'HideFileExt'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'}
- {key: 'HKEY_USERS\%%users.sid%%\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced', value: 'ShowSuperHidden'}
@@ -1878,6 +2041,7 @@ supported_os: [Windows]
urls:
- 'https://www.sdkhere.com/2016/02/analysis-of-malware-using-wmi-query.html'
- 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_mandrom.e'
- 'https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_deleter.ah'
- 'https://blog.malwarebytes.com/detections/pum-optional-disabledrightclick/'
- 'https://blog.malwarebytes.com/detections/pum-optional-disableshowcontrolpanel/'
---
@@ -2057,11 +2221,14 @@ sources:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore', value: 'DisableSR'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore', value: 'DisableSR'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\Installer', value: 'LimitSystemRestoreCheckpointing'}
labels: [System]
supported_os: [Windows]
urls:
- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
- 'https://www.windows-commandline.com/enable-disable-system-restore-service/'
- 'https://docs.microsoft.com/en-us/windows/desktop/msi/limitsystemrestorecheckpointing'
---
name: WindowsUserAccountControlSettings
doc: |
@@ -2075,11 +2242,14 @@ sources:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'EnableLUA'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System', value: 'ConsentPromptBehaviorAdmin'}
labels: [System]
supported_os: [Windows]
urls:
- 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/958053ae-5397-4f96-977f-b7700ee461ec'
- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html'
- 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4'
---
name: WindowsUpgradeSettings
doc: |
@@ -2102,6 +2272,20 @@ urls:
- 'https://www.ghacks.net/2016/01/08/disableosupgrade-prevents-the-upgrade-to-windows-10/'
- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0517-0524.html'
---
name: WindowsUpdateSettings
doc: Windows Update Settings
sources:
- type: REGISTRY_VALUE
attributes:
key_value_pairs:
- {key: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'}
- {key: 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU', value: 'NoAutoUpdate'}
labels: [System]
supported_os: [Windows]
urls:
- 'https://docs.microsoft.com/en-us/windows/deployment/update/waas-wu-settings'
- 'https://blog.talosintelligence.com/2019/06/threat-roundup-0531-0607.html'
---
name: WindowsFontDrivers
doc: Windows font drivers from the Registry.
sources:

0 comments on commit 9fdf452

Please sign in to comment.
You can’t perform that action at this time.