Correlated modification of AppCompat registry keys and execution of sdbinst.exe to install custom shim databases. Followed by DLL injection via shim behavior into target application processes.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| CustomShimPathAllowlist | Filter out known-good .sdb paths in AppPatch\Custom folders |
| TimeWindow | Tunable window for correlating registry modification and sdbinst.exe execution |
| DLLInjectionTarget | Expected target applications or binaries for injected DLLs |
| UserContext | Limit alerting to admin or SYSTEM-context initiated shim installations |
| ShimCommandLinePattern | Expected or benign sdbinst.exe command-line patterns to exclude |