attack.t1546.011

Potential Persistence Via AppCompat RegisterAppRestart Layer

Nov 1, 2024 · attack.persistence attack.t1546.011 ·

Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.

Suspicious Shim Database Patching Activity

Oct 1, 2024 · attack.persistence attack.t1546.011 ·

Share on:

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Potential Persistence Via Shim Database In Uncommon Location

Aug 12, 2024 · attack.persistence attack.t1546.011 ·

Share on:

Detects the installation of a new shim database where the file is located in a non-default location

Potential Persistence Via Shim Database Modification

Aug 12, 2024 · attack.persistence attack.t1546.011 ·

Share on:

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

Potential Shim Database Persistence via Sdbinst.EXE

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1546.011 ·

Share on:

Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Uncommon Extension Shim Database Installation Via Sdbinst.EXE

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1546.011 ·

Share on:

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims