This detection rule monitors for potential persistence mechanisms employed by adversaries through modifications to the Shim database within the Windows Registry. Application Shims are part of the Microsoft Windows Application Compatibility Infrastructure and serve to maintain compatibility for applications against different versions of the Windows operating system. Although designed to enhance user experience with legacy applications, adversaries may exploit this feature to create malicious entries that trigger the execution of compromised software or scripts when certain applications are launched. The rule specifically targets entries under the Registry keys related to Installed SDBs (Software Database) and Custom SHIM configurations, which are known to be leveraged for persisting malicious payloads. The detection strategy includes filtering out cases where legitimate SHIM modifications are made, thus reducing the chances of false positives. The low acceptance of false positives is crucial for environments where custom SHIM installations may exist, which would trigger similar alerts but are not indicative of malicious intent.