Detect Application Shimming in Elastic Security
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. The SDB (Shim DataBase) stores fix entries and shims. Malicious shim databases can be installed by adversaries using sdbinst.exe. Custom shims can be written to intercept and redirect API calls to inject malicious code into otherwise legitimate processes. This allows adversaries to apply persistent fixes to legitimate applications that execute when those applications run.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.011 Application Shimming
- Canonical reference
- https://attack.mitre.org/techniques/T1546/011/
Elastic Detection Query
sequence by host.name with maxspan=5m
[any where
(event.category == "process" and process.name : "sdbinst.exe") or
(event.category == "registry" and registry.path : ("*\\AppCompatFlags\\Custom\\*", "*\\AppCompatFlags\\InstalledSDB\\*") and event.type in ("creation", "change")) or
(event.category == "file" and file.extension == "sdb" and not file.path : "C:\\Windows\\AppPatch\\*" and event.type in ("creation", "change"))
]Detects Application Shimming persistence (T1546.011) by identifying sdbinst.exe execution, registry modifications to AppCompatFlags keys, and creation of .sdb shim database files outside the legitimate Windows AppPatch directory. Sequences events on the same host within 5 minutes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers (e.g., older enterprise applications) that use the Windows Application Compatibility Toolkit may invoke sdbinst.exe as part of a sanctioned deployment workflow.
- Microsoft SCCM or WSUS deployments may apply application compatibility fixes via sdbinst.exe during patch cycles, generating registry and file events that match this rule.
- Developers testing application compatibility shims in a lab or staging environment may trigger all three detection conditions simultaneously without malicious intent.
Other platforms for T1546.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install Custom Shim Database with sdbinst.exe
Expected signal: Process creation for sdbinst.exe with the SDB file path argument. File creation event for argus_test.sdb in Temp directory. Registry modification to AppCompatFlags\InstalledSDB adding a new GUID key. Process creation event for sdbinst.exe is the primary detection trigger.
- Test 2Query Installed Shim Databases
Expected signal: Process creation for reg.exe querying AppCompatFlags keys. Read-only operation. Output shows all installed SDB GUIDs and their file paths.
- Test 3Create Shim Database File Outside AppPatch
Expected signal: File creation event (Sysmon 11): TargetFilename ends with .sdb and path contains Temp, not Windows\AppPatch. This triggers the SDB_FILE_CREATED detection vector.
References (6)
- https://attack.mitre.org/techniques/T1546/011/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://www.mandiant.com/resources/blog/fin7-duos-duplicitous-scheme
- https://www.alex-ionescu.com/?p=39
- https://github.com/mandiant/ShimCacheParser
Unlock Pro Content
Get the full detection package for T1546.011 including response playbook, investigation guide, and atomic red team tests.