A new custom shim database may indicate adversary attempts to persist or elevate privileges by leveraging application shims to execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential persistence mechanisms and mitigate advanced threats.
Detection Rule
title: New Custom Shim Database Created
id: ee63c85c-6d51-4d12-ad09-04e25877a947
status: test
description: |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
- https://liberty-shell.com/sec/2020/02/25/shim-persistence/
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-29
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.009
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains:
- ':\Windows\apppatch\Custom\'
- ':\Windows\apppatch\CustomSDB\'
condition: selection
falsepositives:
- Legitimate custom SHIM installations will also trigger this rule
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_new_shim_database/info.yml
imFileEvent
| where TargetFileName contains ":\\Windows\\apppatch\\Custom\\" or TargetFileName contains ":\\Windows\\apppatch\\CustomSDB\\"Scenario: System Update or Patch Deployment
Description: A system update or patch may create a new shim database as part of the Windows compatibility framework during installation.
Filter/Exclusion: Check the CreationTime of the shim database file and exclude files created during known patch deployment windows (e.g., via SCCM, WSUS, or Microsoft Update).
Example Filter: file_name == "CompatDB.db" and creation_time > "2024-01-01" and creation_time < "2024-02-01"
Scenario: Scheduled Job for Compatibility Testing
Description: A legitimate scheduled job may generate a new shim database as part of compatibility testing for application upgrades.
Filter/Exclusion: Exclude files created by known testing tools or scheduled tasks (e.g., TestAppCompatJob.exe or CompatTestScheduler).
Example Filter: process_name == "TestAppCompatJob.exe" or process_name == "CompatTestScheduler.exe"
Scenario: Admin Task to Configure Application Compatibility
Description: An administrator may manually configure application compatibility settings, which can result in the creation of a new shim database.
Filter/Exclusion: Exclude files created by known administrative tools (e.g., CompatAdmin.exe, AppCompatConfig.exe, or msconfig.exe).
Example Filter: process_name == "CompatAdmin.exe" or process_name == "AppCompatConfig.exe"
Scenario: Microsoft Application Compatibility Toolkit (ACT) Usage
Description: The Microsoft Application Compatibility Toolkit may generate a new shim database when analyzing applications for compatibility.
Filter/Exclusion: Exclude files created by the ACT tools (e.g., ACT.exe, CompatAnalysis.exe).
Example Filter: `process_name == “ACT.exe” or process ->