Detectionmediumtest
New Custom Shim Database Created
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Nasreddine Bencherchali (Nextron Systems)Created Wed Dec 29Updated Wed Dec 06ee63c85c-6d51-4d12-ad09-04e25877a947windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
TargetFilename|contains:
- ':\Windows\apppatch\Custom\'
- ':\Windows\apppatch\CustomSDB\'
condition: selectionFalse Positives
Legitimate custom SHIM installations will also trigger this rule
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
ee63c85c-6d51-4d12-ad09-04e25877a947
Status
test
Level
medium
Type
Detection
Created
Wed Dec 29
Modified
Wed Dec 06
Path
rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.009