title: Potential Persistence Via Shim Database In Uncommon Location
id: 6b6976a3-b0e6-4723-ac24-ae38a737af41
status: test
description: Detects the installation of a new shim database where the file is located in a non-default location
references:
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
    - https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
            - '\DatabasePath'
    filter_main_known_locations:
        Details|contains: ':\Windows\AppPatch\Custom'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
        TargetObject|endswith:
            # Note: add other application to increase coverage
            - '\csrss.exe'
            - '\dllhost.exe'
            - '\explorer.exe'
            - '\RuntimeBroker.exe'
            - '\services.exe'
            - '\sihost.exe'
            - '\svchost.exe'
            - '\taskhostw.exe'
            - '\winlogon.exe'
            - '\WmiPrvSe.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential Persistence Via AppCompat RegisterAppRestart Layer
id: b86852fb-4c77-48f9-8519-eb1b2c308b59
status: test
description: |
    Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
    This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
    This can be potentially abused as a persistence mechanism.
references:
    - https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-01-01
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
        Details|contains: 'REGISTERAPPRESTART'
    condition: selection
falsepositives:
    - Legitimate applications making use of this feature for compatibility reasons
level: medium

title: Potential Persistence Via Shim Database Modification
id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
status: test
description: |
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113
date: 2021-12-30
modified: 2025-10-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
            - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
    filter_main_empty_string:
        Details: ''
    filter_main_empty_value:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate custom SHIM installations will also trigger this rule
level: medium

title: Potential Shim Database Persistence via Sdbinst.EXE
id: 517490a7-115a-48c6-8862-1a481504d5a8
related:
    - id: 18ee686c-38a3-4f65-9f44-48a077141f42
      type: similar
status: test
description: |
    Detects installation of a new shim using sdbinst.exe.
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
author: Markus Neis
date: 2019-01-16
modified: 2023-12-06
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\sdbinst.exe'
        - OriginalFileName: 'sdbinst.exe'
    selection_cli:
        CommandLine|contains: '.sdb'
    filter_optional_iis:
        ParentImage|endswith: '\msiexec.exe'
        CommandLine|contains:
            # Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
            - ':\Program Files (x86)\IIS Express\iisexpressshim.sdb'
            - ':\Program Files\IIS Express\iisexpressshim.sdb'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Uncommon Extension Shim Database Installation Via Sdbinst.EXE
id: 18ee686c-38a3-4f65-9f44-48a077141f42
related:
    - id: 517490a7-115a-48c6-8862-1a481504d5a8
      type: derived
status: test
description: |
    Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
    - https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2024-01-10
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1546.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\sdbinst.exe'
        - OriginalFileName: 'sdbinst.exe'
    filter_main_legit_ext:
        CommandLine|contains: '.sdb'
    filter_main_legit_extensions:
        # ParentImage|endswith: ':\Windows\System32\svchost.exe'
        - CommandLine|endswith:
              - ' -c'
              - ' -f'
              - ' -mm'
              - ' -t'
        - CommandLine|contains: ' -m -bg'
    filter_main_null:
        CommandLine: null
    filter_main_empty:
        CommandLine: ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium