Skip to content
Threat Feed
medium advisory

Application Compatibility Shim Database Installation for Persistence

Attackers abuse Application Compatibility Shims to establish persistence by installing custom shim databases, allowing for stealthy code execution within legitimate Windows processes.

Attackers can leverage the Application Compatibility (AppCompat) Shim functionality in Windows to maintain persistence and execute arbitrary code. This involves creating and installing custom shim databases (.sdb files) that modify the behavior of legitimate applications. By manipulating these shims, adversaries can ensure their malicious code is executed whenever the targeted application is launched. This technique allows attackers to operate stealthily within trusted processes, evading traditional detection methods. The targeted registry paths are within HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\. This activity has been observed in various attack campaigns and is a known method for achieving persistence. The detection rule provided identifies the creation of these custom shim databases by monitoring specific registry changes, excluding known legitimate uses by applications like SAP and Kaspersky to minimize false positives.

Attack Chain

  1. The attacker gains initial access to the system through unspecified means.
  2. The attacker identifies a target application for persistence.
  3. The attacker creates a malicious shim database (.sdb file) designed to execute arbitrary code when the target application is launched.
  4. The attacker modifies the Windows Registry to register the custom shim database with the target application, specifically under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\.
  5. The system registers the newly created shim upon application launch.
  6. When the target application is executed, the malicious shim is loaded and executed within the context of the application.
  7. The attacker achieves persistence, with their code running whenever the target application is launched.

Impact

Successful exploitation allows the attacker to maintain persistent access to the compromised system, even after reboots. This can lead to long-term data exfiltration, deployment of ransomware, or further compromise of the network. While the number of victims and targeted sectors are not specified, the technique itself is applicable across various environments, making it a significant threat.

Recommendation

  • Enable registry monitoring and logging to capture changes to the AppCompatFlags\Custom registry key using Sysmon or Windows Event Logs, enabling the "Installation of Custom Shim Databases" rule.
  • Implement the provided Sigma rule to detect the creation of custom shim databases by monitoring registry changes, tuning exclusions for your environment.
  • Regularly review and update the exclusion list of known legitimate processes that use shim databases to minimize false positives, as described in the rule's documentation.
  • Investigate any alerts generated by the Sigma rule, focusing on the process making the registry changes and the contents of the .sdb file.

Detection coverage 2

Detect Installation of Custom Shim Databases via Registry

medium

Detects the creation of custom Application Compatibility Shim databases by monitoring registry modifications under the AppCompatFlags\Custom key.

sigma tactics: persistence techniques: T1546.011 sources: registry_set, windows

Detect Shim Database Creation by Uncommon Processes

low

Detects the creation of .sdb files by processes not typically associated with application compatibility tasks.

sigma tactics: persistence techniques: T1546.011 sources: file_event, windows

Detection queries are available on the platform. Get full rules →