EXPLORE

← Back to Explore

T1546.011

Application Shimming

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will ...

Windows

11

Detections

3

Sources

1

Threat Actors

BY SOURCE

6sigma3splunk_escu2elastic

PROCEDURES (7)

Registry Monitoring3 detections

Auto-extracted: 3 detections for registry monitoring

Privilege2 detections

Auto-extracted: 2 detections for privilege

Api2 detections

Auto-extracted: 2 detections for api

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Api1 detections

Auto-extracted: 1 detections for api

THREAT ACTORS (1)

DETECTIONS (11)

Installation of Custom Shim Databases

Potential Application Shimming via Sdbinst

Potential Persistence Via AppCompat RegisterAppRestart Layer

Potential Persistence Via Shim Database In Uncommon Location

Potential Persistence Via Shim Database Modification

Potential Shim Database Persistence via Sdbinst.EXE

Registry Keys for Creating SHIM Databases

Shim Database File Creation

Shim Database Installation With Suspicious Parameters

Suspicious Shim Database Patching Activity

Uncommon Extension Shim Database Installation Via Sdbinst.EXE