Potential Persistence Via Shim Database Modification

Severity: medium
Author: frack113
Source: upstream

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1546.011` Event Triggered Execution: Application Shimming
Privilege Escalation	`T1546.011` Event Triggered Execution: Application Shimming

Event coverage

Provider	Event ID	Title
Sysmon	13	RegistryEvent (Value Set)

Stages and Predicates

Stage 1: `selection`

or:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'

Stage 2: `not 1 of filter_main_*`

or:
Details: ''
Details: '(Empty)'
Details: null

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Details`	eq	`(Empty)` corpus 24 (sigma 24)
`TargetObject`	match	`\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\` corpus 2 (sigma 2) `\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\` corpus 2 (sigma 2)