heroui logo

Suspicious Shim Database Patching Activity

Sigma Rules

View Source
Summary
This detection rule identifies suspicious activities relating to the installation of new shim databases on Windows systems. Shim databases are used to modify how applications interact with the Windows operating system, often to facilitate backward compatibility. However, cyber actors may employ shim databases for malicious purposes, such as process injection or maintaining persistence on compromised systems. The rule focuses on entries in the Windows registry, specifically in the \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\ registry path, which stores information regarding custom application compatibility flags. The detection logic looks for entries that modify known process names associated with critical Windows components (e.g., csrss.exe, dllhost.exe, etc.), as these are common targets for attackers attempting to inject malicious code. The rule has a high severity level, indicating its importance for threat detection.
Categories
  • Windows
  • Endpoint
  • Infrastructure
Data Sources
  • Windows Registry
Created: 2023-08-01