T1546.011

Application Shimming

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. The SDB (Shim DataBase) stores fix entries and shims. Malicious shim databases can be installed by adversaries using sdbinst.exe. Custom shims can be written to intercept and redirect API calls to inject malicious code into otherwise legitimate processes. This allows adversaries to apply persistent fixes to legitimate applications that execute when those applications run.

Microsoft Sentinel / Defender

kusto

let SdbInstall = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "sdbinst.exe"
| extend SdbFile = extract(@"sdbinst\.exe\s+(?:[-/][^\s]+\s+)*([\S]+\.sdb)", 1, ProcessCommandLine)
| extend IsUninstall = ProcessCommandLine has "-u"
| project SdbTime=Timestamp, DeviceName, AccountName, ProcessCommandLine,
         SdbFile, IsUninstall, InitiatingProcessFileName;
let SdbRegistry = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom",
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB"
  )
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| project RegTime=Timestamp, DeviceName, AccountName, RegistryKey,
         RegistryValueName, RegistryValueData, InitiatingProcessFileName;
let SdbFiles = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".sdb"
| where FolderPath !has "C:\\Windows\\AppPatch\\"
| where ActionType in ("FileCreated", "FileModified")
| project FileTime=Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType;
union (SdbInstall | extend EventType="SDB_INSTALL"),
      (SdbRegistry | extend EventType="SDB_REGISTRY"),
      (SdbFiles | extend EventType="SDB_FILE_CREATED")
| sort by SdbTime desc, RegTime desc, FileTime desc

high severity medium confidence

Data Sources

Process: Process Creation Windows Registry: Registry Key Modification File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents DeviceFileEvents

False Positives

Microsoft and third-party application compatibility fixes installed via Windows Update or application installers that use sdbinst.exe to deploy compatibility shims
Enterprise IT teams that deploy application compatibility databases via Group Policy or SCCM to resolve application compatibility issues
Software vendors that include shim databases in their installers to ensure compatibility with different Windows versions
Windows ADK (Assessment and Deployment Kit) users creating compatibility fixes for legacy applications

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Process Name",
  "Command",
  "File Name",
  "File Path",
  "Registry Key",
  "Registry Value",
  CASE
    WHEN LOWER("Process Name") LIKE '%sdbinst.exe%' THEN 'SDB_INSTALLER_EXECUTED'
    WHEN "Registry Key" LIKE '%AppCompatFlags%Custom%' OR "Registry Key" LIKE '%AppCompatFlags%InstalledSDB%' THEN 'APPCOMPAT_REGISTRY_MODIFIED'
    WHEN LOWER("File Name") LIKE '%.sdb' AND "File Path" NOT LIKE '%Windows%AppPatch%' THEN 'SDB_FILE_CREATED'
    ELSE 'UNKNOWN'
  END AS detection_type,
  CASE
    WHEN LOWER("Process Name") LIKE '%sdbinst.exe%' AND "Process Name" NOT LIKE '%msiexec%' AND "Process Name" NOT LIKE '%setup%' THEN 'HIGH'
    WHEN "Registry Key" LIKE '%AppCompatFlags%' THEN 'HIGH'
    WHEN LOWER("File Name") LIKE '%.sdb' THEN 'MEDIUM'
    ELSE 'LOW'
  END AS risk_level
FROM events
WHERE
  devicetime > (NOW() - 86400000)
  AND (
    LOWER("Process Name") LIKE '%sdbinst.exe%'
    OR ("Registry Key" LIKE '%AppCompatFlags%Custom%' OR "Registry Key" LIKE '%AppCompatFlags%InstalledSDB%')
    OR (LOWER("File Name") LIKE '%.sdb' AND "File Path" NOT LIKE '%Windows%AppPatch%')
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Microsoft Sysmon QRadar Windows DSM

Required Tables

events

False Positives

Enterprise application compatibility testing teams using the Windows ACT (Application Compatibility Toolkit) will regularly invoke sdbinst.exe and write to AppCompatFlags registry keys as part of their normal workflow.
Third-party software vendors shipping applications built for older Windows versions may bundle their own shim databases and install them via their setup routines, triggering all detection conditions.
IT administrators running automated deployment scripts that include compatibility patches for legacy line-of-business applications may generate high volumes of these events around patch windows.

Sumo Logic CSE

sql

_sourceCategory=windows* (sdbinst.exe OR AppCompatFlags OR ".sdb")
| parse "EventCode=*" as event_code nodrop
| parse "Image=*" as image nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "TargetFilename=*" as target_filename nodrop
| parse "TargetObject=*" as registry_key nodrop
| parse "Details=*" as registry_details nodrop
| parse "User=*" as user nodrop
| where (
    (event_code in ("1", "4688") and matches(toLowerCase(image), ".*sdbinst\\.exe.*"))
    or (event_code in ("12", "13") and matches(registry_key, ".*AppCompatFlags.*(Custom|InstalledSDB).*"))
    or (event_code = "11" and matches(toLowerCase(target_filename), ".*\\.sdb$") and !matches(target_filename, "(?i).*windows\\\\apppatch.*"))
  )
| eval detection_type = if(matches(toLowerCase(image), ".*sdbinst\\.exe.*"), "SDB_INSTALLER_EXECUTED",
    if(matches(registry_key, ".*AppCompatFlags.*"), "APPCOMPAT_REGISTRY_MODIFIED",
    if(matches(toLowerCase(target_filename), ".*\\.sdb$"), "SDB_FILE_CREATED", "UNKNOWN")))
| eval risk_level = if(matches(toLowerCase(image), ".*sdbinst\\.exe.*") and !matches(image, "(?i).*(msiexec|setup)\\.exe.*"), "HIGH",
    if(matches(registry_key, ".*AppCompatFlags.*"), "HIGH",
    if(matches(toLowerCase(target_filename), ".*\\.sdb$"), "MEDIUM", "LOW")))
| table _messageTime, _sourceHost, user, event_code, detection_type, risk_level, image, command_line, registry_key, registry_details, target_filename
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Sysmon (via Sumo Logic collector) Windows Security Event Log Sumo Logic Cloud SIEM

Required Tables

_sourceCategory=windows*

False Positives

Automated software deployment systems (e.g., SCCM, Intune, or Ansible) that apply application compatibility shims during operating system upgrades or application migrations will generate matching events at scale.
Security researchers or red teamers in authorized penetration testing exercises may execute sdbinst.exe with custom shim databases as part of documented adversary simulation activities.
Some legitimate antivirus or endpoint detection products use shim databases internally as part of their hooking or monitoring mechanisms, creating AppCompatFlags registry entries during installation.

Google Chronicle / SecOps

yaral

rule application_shimming_t1546_011 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Application Shimming (T1546.011) via sdbinst.exe execution, AppCompatFlags registry modification, or .sdb file creation outside Windows AppPatch"
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1546.011"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-20"

  events:
    (
      // sdbinst.exe process execution
      ($e.metadata.event_type = "PROCESS_LAUNCH" and
       re.regex($e.target.process.file.full_path, `(?i)sdbinst\.exe$`))
      or
      // AppCompatFlags registry modification
      ($e.metadata.event_type = "REGISTRY_MODIFICATION" and
       (
         re.regex($e.target.registry.registry_key, `(?i)AppCompatFlags\\(Custom|InstalledSDB)`) or
         re.regex($e.target.registry.registry_key, `(?i)AppCompatFlags.*(Custom|InstalledSDB)`)
       ))
      or
      // .sdb file created outside Windows AppPatch
      ($e.metadata.event_type = "FILE_CREATION" and
       re.regex($e.target.file.full_path, `(?i)\.sdb$`) and
       not re.regex($e.target.file.full_path, `(?i)Windows\\AppPatch`))
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Forwarding to Chronicle Chronicle Unified Data Model (UDM)

Required Tables

UDM Events (PROCESS_LAUNCH, REGISTRY_MODIFICATION, FILE_CREATION)

False Positives

Software vendors distributing applications with embedded compatibility shims will trigger both the sdbinst.exe process event and AppCompatFlags registry modification conditions as part of their standard installer execution.
IT administrators using the Microsoft Application Compatibility Toolkit to apply organization-wide compatibility fixes will generate sustained streams of these events during controlled deployment windows.
Endpoint Detection and Response products that leverage Windows shim infrastructure as part of their behavioral monitoring may write non-malicious .sdb files and registry entries matching this rule's conditions.

CrowdStrike LogScale (CQL)

cql

// Application Shimming Detection — T1546.011
// Detect sdbinst.exe execution, AppCompatFlags registry modifications, and .sdb file creation
(
  // sdbinst.exe process execution
  (#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2)
  | regex(field=ImageFileName, regex="(?i)sdbinst\\.exe$")
  | eval DetectionType="SDB_INSTALLER_EXECUTED"
  | eval RiskLevel=if(match(ParentBaseFileName, "(?i)(msiexec|setup)\\.exe"), "MEDIUM", "HIGH")
)
| union (
  // AppCompatFlags registry key modification
  (#event_simpleName=RegSetValue OR #event_simpleName=RegCreateKey)
  | regex(field=RegObjectName, regex="(?i)AppCompatFlags\\\\(Custom|InstalledSDB)")
  | eval DetectionType="APPCOMPAT_REGISTRY_MODIFIED"
  | eval RiskLevel="HIGH"
)
| union (
  // .sdb file creation outside Windows AppPatch
  #event_simpleName=PeFileWritten
  | regex(field=TargetFileName, regex="(?i)\\.sdb$")
  | not regex(field=TargetFileName, regex="(?i)Windows\\\\AppPatch")
  | eval DetectionType="SDB_FILE_CREATED"
  | eval RiskLevel="MEDIUM"
)
| groupBy([ComputerName, UserName, DetectionType, RiskLevel, ImageFileName, CommandLine, RegObjectName, TargetFileName], function=count(as=EventCount))
| sort(field=EventCount, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor CrowdStrike Falcon Data Replicator (FDR) Humio / LogScale

Required Tables

ProcessRollup2 SyntheticProcessRollup2 RegSetValue RegCreateKey PeFileWritten

False Positives

CrowdStrike Falcon's own update and remediation mechanisms may occasionally write files with .sdb extensions or interact with AppCompatFlags registry keys during sensor updates or compatibility checks.
Enterprise software packaging tools such as InstallShield or Advanced Installer that bundle Windows Application Compatibility Toolkit fixes will generate ProcessRollup2 events for sdbinst.exe during sanctioned software deployments.
Windows Update and service packs periodically install compatibility shim databases for known application issues, creating legitimate sdbinst.exe executions and AppCompatFlags registry entries that match all detection conditions.

Last updated: 2026-04-20 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1546.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1546Event Triggered Execution

Related Sub-techniques

T1546.001Change Default File Association T1546.002Screensaver T1546.003Windows Management Instrumentation Event Subscription T1546.004Unix Shell Configuration Modification T1546.005Trap T1546.006LC_LOAD_DYLIB Addition T1546.007Netsh Helper DLL T1546.008Accessibility Features T1546.009AppCert DLLs T1546.010AppInit DLLs T1546.012Image File Execution Options Injection T1546.013PowerShell Profile T1546.014Emond T1546.015Component Object Model Hijacking T1546.016Installer Packages T1546.017Udev Rules T1546.018Python Startup Hooks

Application Shimming

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections