Suspicious Shim Database Patching Activity

Rule Info

Name
Suspicious Shim Database Patching Activity
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Reference
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
Date
2023-08-01 00:00:00
Modified
2023-12-06 00:00:00
Id
bf344fea-d947-4ef4-9192-34d008315d3a
Tags
attack.persistence attack.t1546.011
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=bf344fea-d947-4ef4-9192-34d008315d3a

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5027 from @nasbench - Promote older rules status from `experimental` to `test`
2024-10-01
08c52c367
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Nasreddine Bencherchali
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21
e05267714
frack113
Refractor registry_set rules
2023-08-17
bb2aea7c4
Nasreddine Bencherchali
Update rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml
2023-08-04
db8e3d266
Nasreddine Bencherchali
feat: update shim rules
2023-08-01
381b135ba
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022