sigma-rules/rules/windows/persistence_app_compat_shim.toml

[metadata]
creation_date = "2020/09/02"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/09/15"

[rule]
author = ["Elastic"]
description = """
Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been
abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
language = "eql"
license = "Elastic License v2"
name = "Installation of Custom Shim Databases"
risk_score = 47
rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
type = "eql"

query = '''
sequence by process.entity_id with maxspan = 5m
  [process where event.type == "start" and
    not (process.name : "sdbinst.exe" and process.parent.name : "msiexec.exe")]
  [registry where event.type in ("creation", "change") and
    registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*.sdb"]
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.011"
name = "Application Shimming"
reference = "https://attack.mitre.org/techniques/T1546/011/"



[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"