/
registry_keys_for_creating_shim_databases.yml
66 lines (66 loc) · 2.54 KB
/
registry_keys_for_creating_shim_databases.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Registry Keys for Creating SHIM Databases
id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb
version: 6
date: '2023-04-27'
author: Steven Dick, Bhavin Patel, Patrick Bareiss, Teoderick Contreras, Splunk
status: production
type: TTP
description: This search looks for registry activity associated with application compatibility
shims, which can be leveraged by attackers for various nefarious purposes.
data_source:
- Sysmon EventID 12
- Sysmon EventID 13
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*)
BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name
Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `registry_keys_for_creating_shim_databases_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the registry value name, registry path, and registry value data from your
endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical
Sysmon TA. https://splunkbase.splunk.com/app/5709
known_false_positives: There are many legitimate applications that leverage shim databases
for compatibility purposes for legacy applications
references: []
tags:
analytic_story:
- Suspicious Windows Registry Activities
- Windows Persistence Techniques
- Windows Registry Abuse
asset_type: Endpoint
confidence: 80
impact: 70
message: A registry activity in $registry_path$ related to shim modication in host
$dest$
mitre_attack_id:
- T1546.011
- T1546
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Registry.dest
- Registry.registry_value_name
- Registry.registry_key_name
- Registry.registry_path
- Registry.registry_value_data
- Registry.process_guid
risk_score: 56
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.011/atomic_red_team/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog