IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Adobe Hijack Persistence Registry Persistence via AppCert DLL »

› ›

Installation of Custom Shim Databases

edit

Installation of Custom Shim Databases

edit

Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.

Rule type: eql

Rule indices:

logs-endpoint.events.*
winlogbeat-*
logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Elastic
Host
Windows
Threat Detection
Persistence

Version: 102

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

sequence by process.entity_id with maxspan = 5m
  [process where event.type == "start" and
    not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")]
  [registry where event.type in ("creation", "change") and
    registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"]

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
Sub-technique:
- Name: Application Shimming
- ID: T1546.011
- Reference URL: https://attack.mitre.org/techniques/T1546/011/

« Adobe Hijack Persistence Registry Persistence via AppCert DLL »