This rule is designed to detect the installation of a new shim database located in an uncommon or non-default path on Windows systems. Shim databases are utilized for application compatibility, allowing legacy software to run on newer versions of Windows by applying compatibility fixes. However, threat actors can exploit this functionality to establish persistence mechanisms. The rule specifically looks for changes in the Windows Registry that indicate a new shim database under the `InstalledSDB` key. It filters out installations that occur in the default path (`C:\Windows\AppPatch\Custom`) to minimize false positives, ensuring that only suspicious behavior is flagged. Security analysts monitoring this rule should be aware of its high severity level due to the potential implications of malicious persistence mechanisms.