Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Persistence Via Shim Database Modification

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Thu Dec 30Updated Wed Oct 22dfb5b4e8-91d0-4291-b40a-e3b0d3942c45windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic4 selectors
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
    filter_main_empty_string:
        Details: ''
    filter_main_empty_value:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate custom SHIM installations will also trigger this rule

References
1
Resolving title…
github.com
2
Resolving title…
fireeye.com
3
Resolving title…
andreafortuna.org
MITRE ATT&CK
Rule Metadata
Rule ID
dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
Status
test
Level
medium
Type
Detection
Created
Thu Dec 30
Modified
Wed Oct 22
Author
François Hubaut
Path
rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1546.011
View on GitHub