Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4071
Views
20
Helpful
13
Replies

Sdbinst.exe Cloud IOC and Command Line Arguments

JuliaMora15110
Level 1
Level 1

‎07-01-2022 08:32 AM

AMP has been generating a Cloud IOC alert for the following command line:

 

C:\WINDOWS\System32\sdbinst.exe -m -bg

 

I can't find anything for these arguments "-m -bg". 

 

Has anyone come across this or know what it means? 

2 people had this problem
0 Helpful
13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-01-2022 09:38 AM

I've been seeing it myself on my own PC after upgrading to Windows 11. I tried and failed to exclude it from my policy in the Secure Endpoint console. Windows Defender and VirusTotal report the file is fine.

I will open a ticket on it eventually but haven't had the time to engage TAC.

Troja007
Cisco Employee
Cisco Employee

‎07-06-2022 01:12 AM - edited ‎07-06-2022 01:14 AM

Hello @JuliaMora15110 ,
to get any community help in such a case we need more information, more details. There are millions of different command line arguments, and millions of relations to other observables, which finally may generate an event of CloudIOC. I did a short test in my LAB.

  • The Severity Level of the IOC is Medium. This means, take a look if there is anything else on the system active.
  • Would be interesting if there are any other unknown files shown on the system
  • Or, if there are any other Events
  • Would be interesting which user did the command
  • The outlined tool can be used to do malicious activity, but this command provides not the necessary threat details to determine if there is really something malicious happening on the endpoint. Th tool is also listed on Mitre: https://attack.mitre.org/techniques/T1546/011/

So finally, you may take a closer look on the endpoint if you figure out any other activity.

Greetings,
Thorsten

Bildschirmfoto 2022-07-06 um 09.50.09.png

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Troja007

‎07-06-2022 10:11 AM

@Troja007 can you tell us how to exclude this file from generating Cloud IOC events? I've scanned it with different tools and it comes up clean in every case. I tried whitelisting the file hash in my policy but that had no effect.

0 Helpful

Ken Stieers
VIP
VIP
In response to Marvin Rhoads

‎07-06-2022 11:24 AM

You can only silence the alarm, the event still happens. Click on the bell in the alarm to silence it.
To remove the event TAC or Dev have to get involved...
0 Helpful

Troja007
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎07-07-2022 12:27 AM - edited ‎07-07-2022 12:29 AM

Hello all,
as @Ken Stieers already mentioned, what you can do today

  • Option 1: Silence the Alarm
  • Option 1: open a TAC case, so there is an exclusion added to your ORG in the backend

In addition, we are already working on a new feature to enable customers defining their own CloudIOC exclusions. @JuliaMora15110 , you may get in contact with your Cisco representative for any official statement.

Greetings,
Thorsten

0 Helpful

JuliaMora15110
Level 1
Level 1
In response to Troja007

‎07-07-2022 07:15 AM

Thank you, I've opened a Cisco TAC case and provided the debugging logs. I just want to know if this has been seen before and if it's expected behavior for Windows 11. If so, I'm hoping that the Cloud IOC can be fine tuned. 

0 Helpful

wwebster3
Level 1
Level 1
In response to JuliaMora15110

‎07-12-2022 08:02 AM

I am now seeing this alert come from all computers that have been updated to the latest Windows 11 build 22621.105.

One of the alerts had a sdbinst.exe -mm parameter but that also is undefined.

I can't find anything about this behavior online besides this thread which is unfortunate. I have checked the machines throwing up these alerts for custom Shim DB's but there weren't any in the regular folder locations.

wwebster3
Level 1
Level 1

‎07-12-2022 10:39 AM

Is this a Lenovo computer? What is the Make Model and Windows Version of the machines you are seeing this on?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-12-2022 10:52 AM

I see it consistently (every couple of days) on my HP Spectre x360 computer with Windows 11 Version 22H2, (OS Build 22621.169). It's fully patched and no other tool indicates this file is a problem. Silencing the alarm only silences that particular instance and it recurs eventually.

0 Helpful

wwebster3
Level 1
Level 1
In response to Marvin Rhoads

‎07-14-2022 07:08 AM

I see a few alerts every day, only on PC's with Windows 11 Version 22H2, (OS Build 22621.169) so I think we can confirm that it is due to the most recent Windows patches.  I am checking other Win 11 PC's that havent been patched fully and I dont even see SDBinst.exe running on these machines.  I am able to silence the Compromise Event Type "W32.SdbinstShimming.ioc" and then they all are hidden, I just havent had to silence an event type before and would much prefer figuring out what is causing these.

0 Helpful

wwebster3
Level 1
Level 1

‎07-14-2022 07:46 AM

I just confirmed that something must have changed at least between Win 10 and Win 11. In the screen shot you can see the variables "-mm" and "-m -bg" execute without error in Windows 11 Version 22H2, (OS Build 22621.169), but they error out in Windows 10.

Preview file
230 KB

JuliaMora15110
Level 1
Level 1

‎08-03-2022 12:54 PM

Hi all, 

I received a reply from Cisco TAC regarding this detection - a fix has been applied to the backend and should no longer display as a Cloud IOC. 

Thank you so much for confirming this was due to Windows 11 update!

wwebster3
Level 1
Level 1
In response to JuliaMora15110

‎08-04-2022 06:29 AM

Thank you Julia,  Can confirm the alerts have stopped.

0 Helpful
Customers Also Viewed These Support Documents