Detect Application Shimming in CrowdStrike LogScale
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. The SDB (Shim DataBase) stores fix entries and shims. Malicious shim databases can be installed by adversaries using sdbinst.exe. Custom shims can be written to intercept and redirect API calls to inject malicious code into otherwise legitimate processes. This allows adversaries to apply persistent fixes to legitimate applications that execute when those applications run.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.011 Application Shimming
- Canonical reference
- https://attack.mitre.org/techniques/T1546/011/
LogScale Detection Query
// Application Shimming Detection — T1546.011
// Detect sdbinst.exe execution, AppCompatFlags registry modifications, and .sdb file creation
(
// sdbinst.exe process execution
(#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2)
| regex(field=ImageFileName, regex="(?i)sdbinst\\.exe$")
| eval DetectionType="SDB_INSTALLER_EXECUTED"
| eval RiskLevel=if(match(ParentBaseFileName, "(?i)(msiexec|setup)\\.exe"), "MEDIUM", "HIGH")
)
| union (
// AppCompatFlags registry key modification
(#event_simpleName=RegSetValue OR #event_simpleName=RegCreateKey)
| regex(field=RegObjectName, regex="(?i)AppCompatFlags\\\\(Custom|InstalledSDB)")
| eval DetectionType="APPCOMPAT_REGISTRY_MODIFIED"
| eval RiskLevel="HIGH"
)
| union (
// .sdb file creation outside Windows AppPatch
#event_simpleName=PeFileWritten
| regex(field=TargetFileName, regex="(?i)\\.sdb$")
| not regex(field=TargetFileName, regex="(?i)Windows\\\\AppPatch")
| eval DetectionType="SDB_FILE_CREATED"
| eval RiskLevel="MEDIUM"
)
| groupBy([ComputerName, UserName, DetectionType, RiskLevel, ImageFileName, CommandLine, RegObjectName, TargetFileName], function=count(as=EventCount))
| sort(field=EventCount, order=desc)CrowdStrike LogScale (CQL) query detecting Application Shimming (T1546.011) using Falcon sensor telemetry. Identifies sdbinst.exe execution via ProcessRollup2 events, AppCompatFlags registry modifications via RegSetValue/RegCreateKey events, and suspicious .sdb file writes via PeFileWritten events outside Windows AppPatch. Aggregates by host and user for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon's own update and remediation mechanisms may occasionally write files with .sdb extensions or interact with AppCompatFlags registry keys during sensor updates or compatibility checks.
- Enterprise software packaging tools such as InstallShield or Advanced Installer that bundle Windows Application Compatibility Toolkit fixes will generate ProcessRollup2 events for sdbinst.exe during sanctioned software deployments.
- Windows Update and service packs periodically install compatibility shim databases for known application issues, creating legitimate sdbinst.exe executions and AppCompatFlags registry entries that match all detection conditions.
Other platforms for T1546.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install Custom Shim Database with sdbinst.exe
Expected signal: Process creation for sdbinst.exe with the SDB file path argument. File creation event for argus_test.sdb in Temp directory. Registry modification to AppCompatFlags\InstalledSDB adding a new GUID key. Process creation event for sdbinst.exe is the primary detection trigger.
- Test 2Query Installed Shim Databases
Expected signal: Process creation for reg.exe querying AppCompatFlags keys. Read-only operation. Output shows all installed SDB GUIDs and their file paths.
- Test 3Create Shim Database File Outside AppPatch
Expected signal: File creation event (Sysmon 11): TargetFilename ends with .sdb and path contains Temp, not Windows\AppPatch. This triggers the SDB_FILE_CREATED detection vector.
References (6)
- https://attack.mitre.org/techniques/T1546/011/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://www.mandiant.com/resources/blog/fin7-duos-duplicitous-scheme
- https://www.alex-ionescu.com/?p=39
- https://github.com/mandiant/ShimCacheParser
Unlock Pro Content
Get the full detection package for T1546.011 including response playbook, investigation guide, and atomic red team tests.