Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0017: Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)

DET0017 is a MITRE detection strategy for finding Windows Application Shimming activity associated with persistence and privilege escalation. The business...

EnterpriseDET0017Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0017 is a MITRE detection strategy for finding Windows Application Shimming activity associated with persistence and privilege escalation. The business value is not just spotting a tool name; it is validating whether the organization can see compatibility-database installation activity and related registry artifacts that may allow unwanted code to run again after reboot or under favorable execution conditions.

Executive priority

Prioritize this as a Windows resilience and incident-readiness question: can the SOC prove it would notice suspicious application shim installation or registration activity, and can IR teams quickly determine whether it represents legitimate compatibility work or a persistence mechanism? This matters for control assurance, audit evidence around endpoint monitoring, and decisions about hardening privileged change paths on Windows systems.

Technical view

The supplied object has no official detection text, but its name and relationship indicate a strategy focused on Application Shimming via sdbinst.exe and registry artifacts, detecting ATT&CK T1546.011. SOC and detection teams should validate visibility into process execution involving sdbinst.exe, creation or modification of shim-related registry artifacts, and endpoint context needed to distinguish approved application compatibility changes from suspicious persistence or privilege-escalation behavior. Because the related technique is Windows-focused and mapped to persistence and privilege-escalation tactics, triage should include user context, parent process, command-line details where available, host role, timing, and whether the activity aligns with authorized software deployment or troubleshooting.

Likely telemetry

  • Windows process execution telemetry for sdbinst.exe and parent/child process context
  • Command-line telemetry where collected
  • Windows registry modification telemetry for application shim or compatibility-related artifacts
  • Endpoint detection and response events related to persistence or privilege-related changes
  • Software deployment, change-management, or administrative activity records to compare against observed shim activity

Detection direction

  • Confirm whether detections cover both direct sdbinst.exe execution and registry artifacts associated with Application Shimming, rather than relying on a single indicator.
  • Tune for administrative and software-compatibility baselines, because legitimate application compatibility work may create similar artifacts.
  • Correlate process, registry, user, and change-management context to reduce false positives and improve triage quality.
  • Validate coverage on high-value Windows endpoints and servers where persistence or privilege escalation would have higher business impact.
  • Treat missing command-line or registry telemetry as a material blind spot for this strategy.

Mitigation priorities

  • Establish or review approved processes for Windows application compatibility changes and shim database installation.
  • Restrict administrative capability to install or register application shims to authorized users and managed workflows.
  • Ensure endpoint logging and EDR policies capture process execution and relevant registry modifications needed for investigation.
  • Maintain change-management evidence so SOC analysts can distinguish approved compatibility activity from suspicious persistence behavior.
  • Include Application Shimming checks in incident response persistence review procedures for Windows hosts.
Analyst notes and limits

This take is based on the detection strategy name, external reference DET0017, and the relationship to ATT&CK T1546.011 Application Shimming. The supplied MITRE fields do not include an official description or official detection logic, so implementation should be validated against local Windows telemetry and organizational change practices.

Platforms and tactics are not specified on the detection-strategy object itself. Windows, persistence, and privilege escalation context comes from the related ATT&CK technique T1546.011 and the object name. No claim is made that this activity is present, actively exploited, attributed to any actor, or fully detectable in a given environment.

Official MITRE ATT&CK definition

Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1546.011 Application Shimming Sub-technique This object detects Application Shimming.
Relationship explorer

All related ATT&CK context

detects · Technique T1546.011: Application Shimming Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3fcb55453eb73d10...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3fcb55453eb7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0017
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use