Installing Custom Shim Databases¶
Identifies the installation of custom Application Compatibility Shim databases.
id: | 0e9a0a32-acf4-4969-9828-215a692c436e |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence, Privilege Escalation |
---|---|
techniques: | T1138 Application Shimming |
Query¶
registry where registry_path == "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"
and not event of [process where subtype.create and
// Ignore legitimate usage of sdbinst.exe
not (process_name == "sdbinst.exe" and parent_process_name == "msiexec.exe")
]