Suspicious Shim Database Patching Activity

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546.011  ·
Share on: linkedin copy

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Sigma rule (View on GitHub)

 1title: Suspicious Shim Database Patching Activity
 2id: bf344fea-d947-4ef4-9192-34d008315d3a
 3status: test
 4description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
 5references:
 6    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
 7    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-08-01
10modified: 2023-12-06
11tags:
12    - attack.privilege-escalation
13    - attack.persistence
14    - attack.t1546.011
15logsource:
16    category: registry_set
17    product: windows
18detection:
19    selection:
20        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
21        TargetObject|endswith:
22            # Note: add other application to increase coverage
23            - '\csrss.exe'
24            - '\dllhost.exe'
25            - '\explorer.exe'
26            - '\RuntimeBroker.exe'
27            - '\services.exe'
28            - '\sihost.exe'
29            - '\svchost.exe'
30            - '\taskhostw.exe'
31            - '\winlogon.exe'
32            - '\WmiPrvSe.exe'
33    condition: selection
34falsepositives:
35    - Unknown
36level: high

References

Related rules

to-top