Home/ATT&CK Technique/Application Shimming
ATT&CK Technique

Application Shimming

T1546.011 · privilege-escalation, persistence

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.

Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: %WINDIR%\AppPatch\sysmain.sdb and hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb Custom databases are stored in: %WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.

Shims can also be abused to establish persistence by continuously being invoked by affected programs.

Windows

Actors Using This

10
north_koreaAndariel
iranOilRig
iranAPT35
north_koreaAPT37
north_koreaAPT38
north_koreaContagious Interview
russiaGamaredon Group
iranMuddyWater
chinaMustang Panda
chinaSalt Typhoon

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1589.002 · Email Addresses ×9.31T1589 · Gather Victim Identity Information ×8.57T1593.001 · Social Media ×7.93T1591.004 · Identify Roles ×7.32
resource-development earlier
T1584.006 · Web Services ×11.90
execution earlier
T1559.002 · Dynamic Data Exchange ×13.60
persistence same
T1098.005 · Device Registration ×7.93T1098.002 · Additional Email Delegate Permissions ×7.14
privilege-escalation later
T1546.001 · Change Default File Association ×17.85T1546.015 · Component Object Model Hijacking ×11.90
credential-access later
T1555.004 · Windows Credential Manager ×11.90
discovery later
T1087.003 · Email Account ×11.90
command-and-control later
T1071.003 · Mail Protocols ×8.57
other same
T1480 · Execution Guardrails ×9.07T1027.010 · Command Obfuscation ×7.93

Atomic Tests

3
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsApplication Shim Installation
Install a shim database. This technique is used for privilege escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete." will be displayed. To verify the shim behavior, run the AtomicTest.exe from the <PathToAtomicsFolder>\\T1546.011\\bin directory. You should see a message box appear with "Atomic Shim DLL Test!" as defined in the AtomicTest.dll. To better understand what is happening, review the source code files is the <PathToAtomicsFolder>\\T1546.011\\src directory. 
sdbinst.exe "#{file_path}"
powershellelevatedwindowsNew shim database files created in the default shim database directory
Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html 
Copy-Item "$PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb" C:\Windows\apppatch\Custom\T1546.011CompatDatabase.sdb
Copy-Item "$PathToAtomicsFolder\T1546.011\bin\T1546.011CompatDatabase.sdb" C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb
powershellelevatedwindowsRegistry key creation and/or modification events for SDB
Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing the registry keys that were created. These keys can also be viewed using the Registry Editor. https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html 
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011"
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -Value "AtomicRedTeamT1546.011"

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1051Update Software

Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware.

Regular Operating System Updates
  • Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows.
  • Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution. Application Patching.
  • Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance.
  • Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches. Firmware Updates.
  • Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption.
  • Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic. Emergency Patch Deployment.
  • Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours.
  • Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities. Centralized Patch Management.
  • Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated.
  • Use Case: Streamlines patching processes and ensures no critical systems are missed.
Tools for Implementation Patch Management Tools
  • WSUS: Manage and deploy Microsoft updates across the organization.
  • ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps.
  • Ansible: Automate updates across multiple platforms, including Linux and Windows.
Vulnerability Scanning Tools
  • OpenVAS: Open-source vulnerability scanning to identify missing patches.
M1052User Account Control

User Account Control (UAC) is a security feature in Microsoft Windows that prevents unauthorized changes to the operating system. UAC prompts users to confirm or provide administrator credentials when an action requires elevated privileges. Proper configuration of UAC reduces the risk of privilege escalation attacks.

Enable UAC Globally
  • Ensure UAC is enabled through Group Policy by setting User Account Control: Run all administrators in Admin Approval Mode to Enabled.
Require Credential Prompt
  • Use Group Policy to configure UAC to prompt for administrative credentials instead of just confirmation (User Account Control: Behavior of the elevation prompt). Restrict Built-in Administrator Account: Set Admin Approval Mode for the built-in Administrator account to Enabled in Group Policy.
Secure the UAC Prompt
  • Configure UAC prompts to display on the secure desktop (User Account Control: Switch to the secure desktop when prompting for elevation).
Prevent UAC Bypass
  • Block untrusted applications from triggering UAC prompts by configuring User Account Control: Only elevate executables that are signed and validated.
  • Use EDR tools to detect and block known UAC bypass techniques.
Monitor UAC-Related Events
  • Use Windows Event Viewer to monitor for event ID 4688 (process creation) and look for suspicious processes attempting to invoke UAC elevation.
Tools for Implementation Built-in Windows Tools
  • Group Policy Editor: Configure UAC settings centrally for enterprise environments.
  • Registry Editor: Modify UAC-related settings directly, such as EnableLUA and ConsentPromptBehaviorAdmin.
Endpoint Security Solutions
  • Microsoft Defender for Endpoint: Detects and blocks UAC bypass techniques.
  • Sysmon: Logs process creations and monitors UAC elevation attempts for suspicious activity.
Third-Party Security Tools
  • Process Monitor (Sysinternals): Tracks real-time processes interacting with UAC.
  • EventSentry: Monitors Windows Event Logs for UAC-related alerts.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 6
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-06, SI-02
D3FEND6 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin