AMP has been generating a Cloud IOC alert for the following command line:
C:\WINDOWS\System32\sdbinst.exe -m -bg
I can't find anything for these arguments "-m -bg".
Has anyone come across this or know what it means?
I've been seeing it myself on my own PC after upgrading to Windows 11. I tried and failed to exclude it from my policy in the Secure Endpoint console. Windows Defender and VirusTotal report the file is fine.
I will open a ticket on it eventually but haven't had the time to engage TAC.
Hello @JuliaMora15110 ,
to get any community help in such a case we need more information, more details. There are millions of different command line arguments, and millions of relations to other observables, which finally may generate an event of CloudIOC. I did a short test in my LAB.
So finally, you may take a closer look on the endpoint if you figure out any other activity.
as @Ken Stieers already mentioned, what you can do today
In addition, we are already working on a new feature to enable customers defining their own CloudIOC exclusions. @JuliaMora15110 , you may get in contact with your Cisco representative for any official statement.
I am now seeing this alert come from all computers that have been updated to the latest Windows 11 build 22621.105.
One of the alerts had a sdbinst.exe -mm parameter but that also is undefined.
I can't find anything about this behavior online besides this thread which is unfortunate. I have checked the machines throwing up these alerts for custom Shim DB's but there weren't any in the regular folder locations.
I see a few alerts every day, only on PC's with Windows 11 Version 22H2, (OS Build 22621.169) so I think we can confirm that it is due to the most recent Windows patches. I am checking other Win 11 PC's that havent been patched fully and I dont even see SDBinst.exe running on these machines. I am able to silence the Compromise Event Type "W32.SdbinstShimming.ioc" and then they all are hidden, I just havent had to silence an event type before and would much prefer figuring out what is causing these.