cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4921
Views
20
Helpful
13
Replies

Sdbinst.exe Cloud IOC and Command Line Arguments

JuliaMora15110
Level 1
Level 1

AMP has been generating a Cloud IOC alert for the following command line:

 

C:\WINDOWS\System32\sdbinst.exe -m -bg

 

I can't find anything for these arguments "-m -bg". 

 

Has anyone come across this or know what it means? 

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

I've been seeing it myself on my own PC after upgrading to Windows 11. I tried and failed to exclude it from my policy in the Secure Endpoint console. Windows Defender and VirusTotal report the file is fine.

I will open a ticket on it eventually but haven't had the time to engage TAC.

Troja007
Cisco Employee
Cisco Employee

Hello @JuliaMora15110 ,
to get any community help in such a case we need more information, more details. There are millions of different command line arguments, and millions of relations to other observables, which finally may generate an event of CloudIOC. I did a short test in my LAB.

  • The Severity Level of the IOC is Medium. This means, take a look if there is anything else on the system active.
  • Would be interesting if there are any other unknown files shown on the system
  • Or, if there are any other Events
  • Would be interesting which user did the command
  • The outlined tool can be used to do malicious activity, but this command provides not the necessary threat details to determine if there is really something malicious happening on the endpoint. Th tool is also listed on Mitre: https://attack.mitre.org/techniques/T1546/011/

So finally, you may take a closer look on the endpoint if you figure out any other activity.

Greetings,
Thorsten

Bildschirmfoto 2022-07-06 um 09.50.09.png

 

 

@Troja007 can you tell us how to exclude this file from generating Cloud IOC events? I've scanned it with different tools and it comes up clean in every case. I tried whitelisting the file hash in my policy but that had no effect.

You can only silence the alarm, the event still happens. Click on the bell in the alarm to silence it.
To remove the event TAC or Dev have to get involved...

Hello all,
as @Ken Stieers already mentioned, what you can do today

  • Option 1: Silence the Alarm
  • Option 1: open a TAC case, so there is an exclusion added to your ORG in the backend

In addition, we are already working on a new feature to enable customers defining their own CloudIOC exclusions. @JuliaMora15110 , you may get in contact with your Cisco representative for any official statement.

Greetings,
Thorsten

Thank you, I've opened a Cisco TAC case and provided the debugging logs. I just want to know if this has been seen before and if it's expected behavior for Windows 11. If so, I'm hoping that the Cloud IOC can be fine tuned. 

I am now seeing this alert come from all computers that have been updated to the latest Windows 11 build 22621.105.

One of the alerts had a sdbinst.exe -mm parameter but that also is undefined.

I can't find anything about this behavior online besides this thread which is unfortunate. I have checked the machines throwing up these alerts for custom Shim DB's but there weren't any in the regular folder locations.

wwebster3
Level 1
Level 1

Is this a Lenovo computer? What is the Make Model and Windows Version of the machines you are seeing this on?

Marvin Rhoads
Hall of Fame
Hall of Fame

I see it consistently (every couple of days) on my HP Spectre x360 computer with Windows 11 Version 22H2, (OS Build 22621.169). It's fully patched and no other tool indicates this file is a problem. Silencing the alarm only silences that particular instance and it recurs eventually.

I see a few alerts every day, only on PC's with Windows 11 Version 22H2, (OS Build 22621.169) so I think we can confirm that it is due to the most recent Windows patches.  I am checking other Win 11 PC's that havent been patched fully and I dont even see SDBinst.exe running on these machines.  I am able to silence the Compromise Event Type "W32.SdbinstShimming.ioc" and then they all are hidden, I just havent had to silence an event type before and would much prefer figuring out what is causing these.

wwebster3
Level 1
Level 1

I just confirmed that something must have changed at least between Win 10 and Win 11. In the screen shot you can see the variables "-mm" and "-m -bg" execute without error in Windows 11 Version 22H2, (OS Build 22621.169), but they error out in Windows 10.

JuliaMora15110
Level 1
Level 1

Hi all, 

I received a reply from Cisco TAC regarding this detection - a fix has been applied to the backend and should no longer display as a Cloud IOC. 

Thank you so much for confirming this was due to Windows 11 update!

Thank you Julia,  Can confirm the alerts have stopped.