security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5f848fe2c19d948c3ef18f2becedf335fdff3c8e
atomic-red-team/Windows/Persistence/Application_Shimming.md
T
caseysmithrc 8f95d8b119 Fix Typo
2017-12-07 09:21:59 -07:00

22 lines
917 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## Application Shimming
MITRE ATT&CK Technique: [T1138](https://attack.mitre.org/wiki/Technique/T1138)
#### Deploying a custom shim database to users requires the following actions:
##### 1.) Placing the custom shim database (*.sdb file) in a location to which the users computer has access (either locally or on the network)
##### 2.) Possibly calling the sdbinst.exe command-line utility to install the custom shim database locally.
##### 3.) Registry Modification - This is completed either manually or by an installation tool.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
#### Detecting the shim execution is difficult. We suggest detection of Shim Installation.
## Test Script
[AppCompatShims](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AppCompatShims)
Reference in New Issue View Git Blame Copy Permalink