2017-10-11 10:35:17 -07:00
|
|
|
|
## Application Shimming
|
|
|
|
|
|
|
|
|
|
|
|
MITRE ATT&CK Technique: [T1138](https://attack.mitre.org/wiki/Technique/T1138)
|
|
|
|
|
|
|
|
|
|
|
|
#### Deploying a custom shim database to users requires the following actions:
|
|
|
|
|
|
|
|
|
|
|
|
##### 1.) Placing the custom shim database (*.sdb file) in a location to which the user’s computer has access (either locally or on the network)
|
|
|
|
|
|
|
|
|
|
|
|
##### 2.) Possibly calling the sdbinst.exe command-line utility to install the custom shim database locally.
|
|
|
|
|
|
|
|
|
|
|
|
##### 3.) Registry Modification - This is completed either manually or by an installation tool.
|
|
|
|
|
|
|
|
|
|
|
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
|
2017-12-07 09:03:07 -07:00
|
|
|
|
|
2017-10-11 10:35:17 -07:00
|
|
|
|
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
|
2017-12-07 09:03:07 -07:00
|
|
|
|
|
2017-10-11 10:35:17 -07:00
|
|
|
|
#### Detecting the shim execution is difficult. We suggest detection of Shim Installation.
|
2017-12-07 09:03:07 -07:00
|
|
|
|
|
|
|
|
|
|
## Test Script
|
|
|
|
|
|
|
2017-12-07 09:21:59 -07:00
|
|
|
|
[AppCompatShims](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AppCompatShims)
|
