LoFP LoFP / legitimate custom shim installations will also trigger this rule

Techniques

Sample rules

New Custom Shim Database Created

Description

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Detection logic

condition: selection
selection:
  TargetFilename|contains:
  - :\Windows\apppatch\Custom\
  - :\Windows\apppatch\CustomSDB\

Potential Persistence Via Shim Database Modification

Description

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_empty:
  Details: ''
selection:
  TargetObject|contains:
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\