Registry Keys For Creating Shim Databases

Description

This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Privilege Escalation
Persistence

MITRE ATT&CK Techniques

Event Triggered Execution

Application Shimming

MITRE Threat Groups

FIN7

Kill Chain Phases

Actions On Objectives

Data Sources

Windows Security

   Help

Registry Keys For Creating Shim Databases Help

To successfully implement this search, you must populate the Change_Analysis data model. This is typically populated via endpoint detection and response products, such as Carbon Black or other endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

   Search

Open in Search