Detection rules › Sigma
Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546.011 Event Triggered Execution: Application Shimming |
| Privilege Escalation | T1546.011 Event Triggered Execution: Application Shimming |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: selection
or:
TargetObject|endswith: '\RuntimeBroker.exe'
TargetObject|endswith: '\WmiPrvSe.exe'
TargetObject|endswith: '\csrss.exe'
TargetObject|endswith: '\dllhost.exe'
TargetObject|endswith: '\explorer.exe'
TargetObject|endswith: '\services.exe'
TargetObject|endswith: '\sihost.exe'
TargetObject|endswith: '\svchost.exe'
TargetObject|endswith: '\taskhostw.exe'
TargetObject|endswith: '\winlogon.exe'
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetObject | ends_with |
|
TargetObject | match |
|