LoFP
/
t1546.011
t1546.011
Title
Tags
because legitimate shim files are created and used all the time, this event, in itself, is not suspicious. however, if there are other correlating events, it may warrant further investigation.
t1546
t1546.011
endpoint
splunk
legitimate applications making use of this feature for compatibility reasons
t1546
t1546.011
windows
sigma
legitimate custom shim installations will also trigger this rule
t1546
t1546.011
t1547
t1547.009
windows
sigma
none identified
t1048
t1048.003
t1070
t1204.002
t1546
t1546.011
t1566
t1566.001
splunk server
endpoint
splunk
there are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications
t1546
t1546.011
endpoint
splunk
LoFP
/
t1546.011