New Custom Shim Database Created

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Sigma rule (View on GitHub)

 1title: New Custom Shim Database Created
 2id: ee63c85c-6d51-4d12-ad09-04e25877a947
 3status: test
 4description: |
 5    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
 6    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
 9    - https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
10    - https://liberty-shell.com/sec/2020/02/25/shim-persistence/
11    - https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
12author: frack113, Nasreddine Bencherchali (Nextron Systems)
13date: 2021-12-29
14modified: 2023-12-06
15tags:
16    - attack.persistence
17    - attack.t1547.009
18logsource:
19    product: windows
20    category: file_event
21detection:
22    selection:
23        TargetFilename|contains:
24            - ':\Windows\apppatch\Custom\'
25            - ':\Windows\apppatch\CustomSDB\'
26    condition: selection
27falsepositives:
28    - Legitimate custom SHIM installations will also trigger this rule
29level: medium

References

Related rules

to-top