This detection rule, authored by Elastic, is designed to identify the installation of custom Application Compatibility Shim databases in Windows environments. Application Compatibility Shims are used to enhance compatibility for older applications on newer operating systems, but they can also be abused by attackers to gain persistence and execute malicious code covertly within legitimate Windows processes. The rule is triggered by changes in specific registry paths related to these shims and is crafted to exclude changes initiated by known legitimate processes (such as certain SAP and Kaspersky applications). The detection logic targets instances over the last nine months, analyzing logs from various sources such as Windows Event Logs, Sysmon, and Microsoft Defender. The risk score is set to 47, categorizing the severity as medium. This rule is particularly crucial for organizations concerned about threat detection and persistence tactics used by adversaries, as it provides a method to monitor and respond to potentially malicious modifications to the Windows registry that could indicate unauthorized access or exploitation.