This detection rule identifies the creation of new custom shim databases in the Windows Application Compatibility Framework, which can be exploited by adversaries to establish persistence and elevate privileges. The Windows Application Compatibility Infrastructure is used to create backward compatibility for applications as their codebase evolves. When new shim databases are created in directories typically associated with application shimming (specifically, `C:\Windows\apppatch\Custom\` or `C:\Windows\apppatch\CustomSDB\`), it may indicate that a malicious actor is leveraging this feature to run malicious payloads under the guise of legitimate application behavior. Since legitimate applications can also create these databases, a secondary investigation is needed to confirm whether the creation was intended. The rule's logic uses file event logs to flag any creation of files under these directories as a potential security incident.