Techniques
Sample rules
Registry Keys for Creating SHIM Databases
- source: splunk
- technicques:
- T1546.011
- T1546
Description
This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB*) BY _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.process_guid
| `drop_dm_object_name(Registry)`
| where isnotnull(registry_value_data)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `registry_keys_for_creating_shim_databases_filter`