This analytic detection rule monitors Windows registry activity tied to the creation of application compatibility shims, specifically examining registry paths associated with AppCompatFlags. It utilizes logs from Sysmon, focusing on Event ID 12 and Event ID 13 that report registry modifications. Shims are mechanisms employed by applications to ensure compatibility with legacy software, but attackers can exploit this by creating shims to bypass security measures, maintain persistence, or escalate privileges. The detection framework breaks down registry operations related to shims and flags instances that may indicate malicious intent. Indicators include unusual registry keys or values being created or modified that align with shim databases, presenting a significant risk to system integrity. Confirmed malicious activity may lead to unauthorized long-term access or arbitrary code execution within affected systems, meriting serious consideration for remediation and investigation.