← Back to SOC feed Coverage →

Suspicious Shim Database Patching Activity

sigma HIGH SigmaHQ
T1546.011
imRegistry
persistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-31T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.

Detection Rule

Sigma (Original)

title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
    - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.011
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
        TargetObject|endswith:
            # Note: add other application to increase coverage
            - '\csrss.exe'
            - '\dllhost.exe'
            - '\explorer.exe'
            - '\RuntimeBroker.exe'
            - '\services.exe'
            - '\sihost.exe'
            - '\svchost.exe'
            - '\taskhostw.exe'
            - '\winlogon.exe'
            - '\WmiPrvSe.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom*" and (RegistryKey endswith "\\csrss.exe" or RegistryKey endswith "\\dllhost.exe" or RegistryKey endswith "\\explorer.exe" or RegistryKey endswith "\\RuntimeBroker.exe" or RegistryKey endswith "\\services.exe" or RegistryKey endswith "\\sihost.exe" or RegistryKey endswith "\\svchost.exe" or RegistryKey endswith "\\taskhostw.exe" or RegistryKey endswith "\\winlogon.exe" or RegistryKey endswith "\\WmiPrvSe.exe")

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom*" and (RegistryKey endswith "\\csrss.exe" or RegistryKey endswith "\\dllhost.exe" or RegistryKey endswith "\\explorer.exe" or RegistryKey endswith "\\RuntimeBroker.exe" or RegistryKey endswith "\\services.exe" or RegistryKey endswith "\\sihost.exe" or RegistryKey endswith "\\svchost.exe" or RegistryKey endswith "\\taskhostw.exe" or RegistryKey endswith "\\winlogon.exe" or RegistryKey endswith "\\WmiPrvSe.exe")

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml