Detection rules › Splunk
Registry Keys for Creating SHIM Databases
The following analytic detects registry activity related to the creation of application compatibility shims. It leverages data from the Endpoint.Registry data model, specifically monitoring registry paths associated with AppCompatFlags. This activity is significant because attackers can use shims to bypass security controls, achieve persistence, or escalate privileges. If confirmed malicious, this could allow an attacker to maintain long-term access, execute arbitrary code, or manipulate application behavior, posing a severe risk to the integrity and security of the affected systems.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1546.011 Event Triggered Execution: Application Shimming |
| Privilege Escalation | T1546.011 Event Triggered Execution: Application Shimming |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: tstats
tstats WHERE (Registry.registry_path="*CurrentVersion\\\\AppCompatFlags\\\\Custom*" OR Registry.registry_path="*CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB*") BY Registry.action, Registry.dest, Registry.process_guid, Registry.process_id, Registry.registry_hive, Registry.registry_path, Registry.registry_key_name, Registry.registry_value_data, Registry.registry_value_name, Registry.registry_value_type, Registry.status, Registry.user, Registry.vendor_product
Stage 2: search
search
Stage 3: where
where isnotnull(registry_value_data)
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Registry.registry_path | eq |
|