detection.wiki

Event Triggered Execution: Application Shimming T1546.011

Tactics: Privilege Escalation, Persistence

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 11FileCreate
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4688A new process has been created.

Authoring guide

Patterns shared across the 11 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (11 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
TargetObject5contains 4, ends_with 1, wildcard 1\software\microsoft\windows..., *\software\microsoft\windows..., \csrss.exe, \databasepath, \dllhost.exe
Details4contains 2, eq 1, is_not_null 1, is_null 1(Empty), :\windows\apppatch\custom, registerapprestart
CommandLine2contains 2, ends_with 1, eq 1, is_null 1 -c, -f, -m -bg, .sdb, :\program files (x86)\iis express\iisexpressshim.sdb
Image2ends_with 2\sdbinst.exe
OriginalFileName2eq 2sdbinst.exe
event.type2eq 2change, start
process_name2eq 2sdbinst.exe
ParentImage1ends_with 1\msiexec.exe
TargetFilename1contains 1windows\\\\apppatch\\\\custom
process.args1starts_with 1?
registry_path1contains 1currentversion\\\\appcompatflags\\\\custom, currentversion\\\\appcompatflags\\\\installedsdb

Top indicator values (36 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
CommandLinecontains
.sdb
2
CommandLinecontains
-m -bg
1
CommandLinecontains
:\program files (x86)\iis express\iisexpressshim.sdb
1
CommandLinecontains
:\program files\iis express\iisexpressshim.sdb
1
Imageends_with
\sdbinst.exe
22
OriginalFileNameeq
sdbinst.exe
22
TargetObjectcontains
\software\microsoft\windows nt\currentversion\appcompatflags\custom\
22
TargetObjectcontains
\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb\
22
TargetObjectcontains
\databasepath
1
TargetObjectcontains
\software\microsoft\windows nt\currentversion\appcompatflags\layers\
1
process_nameeq
sdbinst.exe
23
CommandLineends_with
-c
1
CommandLineends_with
-f
1
CommandLineends_with
-mm
1
CommandLineends_with
-t
1
Detailscontains
:\windows\apppatch\custom
1
Detailscontains
registerapprestart
1
Detailseq
(Empty)
12
ParentImageends_with
\msiexec.exe
1
TargetFilenamecontains
windows\\\\apppatch\\\\custom
1
TargetObjectends_with
\csrss.exe
1
TargetObjectends_with
\dllhost.exe
1
TargetObjectends_with
\explorer.exe
1
TargetObjectends_with
\runtimebroker.exe
1
TargetObjectends_with
\services.exe
1
TargetObjectends_with
\sihost.exe
1
TargetObjectends_with
\svchost.exe
1
TargetObjectends_with
\taskhostw.exe
1
TargetObjectends_with
\winlogon.exe
1
TargetObjectends_with
\wmiprvse.exe
1

Exclusions (35 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
-m -bg
1
CommandLinecontains
.sdb
1
CommandLinecontains
:\program files (x86)\iis express\iisexpressshim.sdb
1
CommandLinecontains
:\program files\iis express\iisexpressshim.sdb
1
CommandLineends_with
-c
1
CommandLineends_with
-f
1
CommandLineends_with
-mm
1
CommandLineends_with
-t
1
CommandLinein
*-?
1
CommandLinein
*-m -bg
1
CommandLinein
*-mm
1
CommandLinein
C:\\Windows\\System32\\sdbinst.exe
1
CommandLinein
\"C:\\Windows\\System32\\sdbinst.exe\"
1
Detailscontains
:\windows\apppatch\custom
1
Detailseq
(Empty)
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 6 rules

Elastic 2 rules

Splunk 3 rules