This detection rule focuses on potential persistence mechanisms within Windows systems that take advantage of the SDB (Shim Database) functionalities, specifically via the use of the sdbinst.exe utility. Adversaries may exploit application shims to maintain persistence or to escalate privileges by executing malicious code when an application launches. The rule detects the execution of sdbinst.exe alongside specific command line arguments that indicate the installation of a new shim possibly intended for malicious purposes. Additionally, an optional filter helps to account for legitimate instances of sdbinst.exe when invoked by msiexec.exe with specific paths relevant to IIS Express shims, ensuring that genuine administrative actions are not flagged as threats.