topic Re: Sdbinst.exe Cloud IOC and Command Line Arguments in Endpoint Security

Sdbinst.exe Cloud IOC and Command Line Arguments

JuliaMora15110 — Fri, 01 Jul 2022 15:32:49 GMT

AMP has been generating a Cloud IOC alert for the following command line:

C:\WINDOWS\System32\sdbinst.exe -m -bg

I can't find anything for these arguments "-m -bg".

Has anyone come across this or know what it means?

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

Marvin Rhoads — Fri, 01 Jul 2022 16:38:50 GMT

I've been seeing it myself on my own PC after upgrading to Windows 11. I tried and failed to exclude it from my policy in the Secure Endpoint console. Windows Defender and VirusTotal report the file is fine.

I will open a ticket on it eventually but haven't had the time to engage TAC.

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

Troja007 — Wed, 06 Jul 2022 08:14:34 GMT

Hello @JuliaMora15110 ,
to get any community help in such a case we need more information, more details. There are millions of different command line arguments, and millions of relations to other observables, which finally may generate an event of CloudIOC. I did a short test in my LAB.

The Severity Level of the IOC is Medium. This means, take a look if there is anything else on the system active.
Would be interesting if there are any other unknown files shown on the system
Or, if there are any other Events
Would be interesting which user did the command
The outlined tool can be used to do malicious activity, but this command provides not the necessary threat details to determine if there is really something malicious happening on the endpoint. Th tool is also listed on Mitre: https://attack.mitre.org/techniques/T1546/011/

So finally, you may take a closer look on the endpoint if you figure out any other activity.

Greetings,
Thorsten

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

Marvin Rhoads — Wed, 06 Jul 2022 17:11:04 GMT

@Troja007 can you tell us how to exclude this file from generating Cloud IOC events? I've scanned it with different tools and it comes up clean in every case. I tried whitelisting the file hash in my policy but that had no effect.

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

Ken Stieers — Wed, 06 Jul 2022 18:24:45 GMT

You can only silence the alarm, the event still happens. Click on the bell in the alarm to silence it.
To remove the event TAC or Dev have to get involved...

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

Troja007 — Thu, 07 Jul 2022 07:29:11 GMT

Hello all,
as @Ken Stieers already mentioned, what you can do today

Option 1: Silence the Alarm
Option 1: open a TAC case, so there is an exclusion added to your ORG in the backend

In addition, we are already working on a new feature to enable customers defining their own CloudIOC exclusions. @JuliaMora15110 , you may get in contact with your Cisco representative for any official statement.

Greetings,
Thorsten

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

JuliaMora15110 — Thu, 07 Jul 2022 14:15:06 GMT

Thank you, I've opened a Cisco TAC case and provided the debugging logs. I just want to know if this has been seen before and if it's expected behavior for Windows 11. If so, I'm hoping that the Cloud IOC can be fine tuned.

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

wwebster3 — Tue, 12 Jul 2022 15:02:05 GMT

I am now seeing this alert come from all computers that have been updated to the latest Windows 11 build 22621.105.

One of the alerts had a sdbinst.exe -mm parameter but that also is undefined.

I can't find anything about this behavior online besides this thread which is unfortunate. I have checked the machines throwing up these alerts for custom Shim DB's but there weren't any in the regular folder locations.

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

wwebster3 — Tue, 12 Jul 2022 17:39:40 GMT

Is this a Lenovo computer? What is the Make Model and Windows Version of the machines you are seeing this on?

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

Marvin Rhoads — Tue, 12 Jul 2022 17:52:02 GMT

I see it consistently (every couple of days) on my HP Spectre x360 computer with Windows 11 Version 22H2, (OS Build 22621.169). It's fully patched and no other tool indicates this file is a problem. Silencing the alarm only silences that particular instance and it recurs eventually.

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

wwebster3 — Thu, 14 Jul 2022 14:08:56 GMT

I see a few alerts every day, only on PC's with Windows 11 Version 22H2, (OS Build 22621.169) so I think we can confirm that it is due to the most recent Windows patches. I am checking other Win 11 PC's that havent been patched fully and I dont even see SDBinst.exe running on these machines. I am able to silence the Compromise Event Type "W32.SdbinstShimming.ioc" and then they all are hidden, I just havent had to silence an event type before and would much prefer figuring out what is causing these.

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

wwebster3 — Thu, 14 Jul 2022 14:46:02 GMT

I just confirmed that something must have changed at least between Win 10 and Win 11. In the screen shot you can see the variables "-mm" and "-m -bg" execute without error in Windows 11 Version 22H2, (OS Build 22621.169), but they error out in Windows 10.

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

JuliaMora15110 — Wed, 03 Aug 2022 19:54:41 GMT

Hi all,

I received a reply from Cisco TAC regarding this detection - a fix has been applied to the backend and should no longer display as a Cloud IOC.

Thank you so much for confirming this was due to Windows 11 update!

Re: Sdbinst.exe Cloud IOC and Command Line Arguments

wwebster3 — Thu, 04 Aug 2022 13:29:50 GMT

Thank you Julia, Can confirm the alerts have stopped.