Skip to content

DET0017 Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)

Item Value
ID DET0017
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1546.011 (Application Shimming)

Analytics

Windows

AN0051

Correlated modification of AppCompat registry keys and execution of sdbinst.exe to install custom shim databases. Followed by DLL injection via shim behavior into target application processes.

Log Sources
Data Component Name Channel
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
CustomShimPathAllowlist Filter out known-good .sdb paths in AppPatch\Custom folders
TimeWindow Tunable window for correlating registry modification and sdbinst.exe execution
DLLInjectionTarget Expected target applications or binaries for injected DLLs
UserContext Limit alerting to admin or SYSTEM-context initiated shim installations
ShimCommandLinePattern Expected or benign sdbinst.exe command-line patterns to exclude