Installing Custom Shim Databases

Identifies the installation of custom Application Compatibility Shim databases.

id:0e9a0a32-acf4-4969-9828-215a692c436e categories:detect confidence:medium os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence, Privilege Escalation techniques:T1138 Application Shimming

Query

registry where registry_path == "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"
  and not event of [process where subtype.create and

                      // Ignore legitimate usage of sdbinst.exe
                      not (process_name == "sdbinst.exe" and parent_process_name == "msiexec.exe")
                   ]

Detonation

Atomic Red Team: T1138

Contributors

• Endgame