T1546.011: Application Shimming
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. [1]
Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.
A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
* %WINDIR%\AppPatch\sysmain.sdb and * hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb
Custom databases are stored in:
* %WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and * hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom
To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).
Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. [2] Shims can also be abused to establish persistence by continuously being invoked by affected programs.
Analyst context for executives and security teams
Application Shimming matters because it abuses a legitimate Windows compatibility feature to make malicious code run when affected applications execute. For leaders, the risk is not just malware persistence; it is the possibility that a trusted Windows mechanism can be used to regain access, elevate privileges, interfere with defenses, or hide inside normal application behavior.
Executive priority
Prioritize this as a Windows persistence and privilege-escalation risk where administrators, legacy applications, or compatibility tooling are common. Security leaders should ask whether the organization can inventory custom shim databases, monitor shim installation activity, and preserve registry and file evidence during incidents. Because ATT&CK links this technique to financially motivated and malware activity, it is relevant to incident readiness, compliance evidence, and resilience of business-critical Windows endpoints and servers.
Technical view
This is a Windows sub-technique of Event Triggered Execution. ATT&CK identifies sdbinst.exe, shim database files, and AppCompat registry locations as key areas for validation. SOC and IR teams should confirm visibility into creation or modification of custom .sdb files under Windows AppPatch custom paths, registry changes under AppCompatFlags InstalledSDB and Custom keys, and execution of the Windows shim installer. DET0017 is specifically related as a detection strategy for Application Shimming via sdbinst.exe and registry artifacts. Since MITRE provides no official detection text for this object, detection engineering should be based on the supplied artifacts and tested against known legitimate compatibility use.
Likely telemetry
- Windows process execution telemetry, especially sdbinst.exe activity
- File creation and modification telemetry for .sdb files in %WINDIR%\AppPatch\custom and %WINDIR%\AppPatch\AppPatch64\Custom
- Registry telemetry for HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
- Registry telemetry for HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
- Endpoint security alerts or logs showing DLL injection, UAC bypass attempts, or defense interference when correlated with shim artifacts
Detection direction
- Validate DET0017-style coverage for sdbinst.exe execution and AppCompat registry artifacts.
- Baseline legitimate shim usage, because compatibility shims can be created for valid software support reasons.
- Alert on new or unexpected custom shim databases in Windows AppPatch custom locations, especially when followed by recurring execution of affected applications.
- Correlate shim installation or registry changes with administrator logons, software deployment windows, and endpoint protection events to reduce false positives.
- During IR, collect the listed registry keys and .sdb files before remediation so persistence evidence is not lost.
Mitigation priorities
- Keep Windows and applications updated to reduce reliance on legacy compatibility workarounds, aligned with M1051 Update Software.
- Maintain proper User Account Control configuration, aligned with M1052 User Account Control, because installing shims requires administrator privileges and some shims may be used in UAC bypass scenarios.
- Restrict and review administrative rights on Windows systems where shim installation could create durable persistence.
- Inventory approved application compatibility databases and investigate unmanaged custom entries.
- Include shim artifacts in endpoint hardening, incident response collection, and compliance evidence procedures.
Analyst notes and limits
Relationship context shows this technique is detected by DET0017 and mitigated by Update Software and User Account Control. ATT&CK also links usage to FIN7 and to Windows malware/software including ShimRat, SDBbot, and Pillowmint. These relationships support defensive prioritization, but they should not be treated as evidence of activity in a specific environment without local telemetry.
The supplied ATT&CK object does not include official detection guidance. The take is therefore based on the official description, listed Windows file and registry locations, and provided relationships. Local baselines are required to distinguish legitimate application compatibility activity from suspicious persistence.
Application Shimming
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. [1]
Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.
A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
* %WINDIR%\AppPatch\sysmain.sdb and * hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb
Custom databases are stored in:
* %WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and * hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom
To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).
Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. [2] Shims can also be abused to establish persistence by continuously being invoked by affected programs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546 | Event Triggered Execution | This object subtechnique of Event Triggered Execution. |
| Enterprise | T1138 | Application Shimming | Application Shimming revoked by this object. |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
S0517: Pillowmint
Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.[1]
S0461: SDBbot
S0444: ShimRat
ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "ShimRat" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. [1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 221ff838fb8a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Elastic Process Injection July 2017
Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.
Open source URL -
[2]
FireEye Application Shimming
Ballenthin, W., Tomczak, J.. (2015). The Real Shim Shary. Retrieved May 4, 2020.
Open source URL -
[3]
Black Hat 2015 App Shim
Pierce, Sean. (2015, November). Defending Against Malicious Application Compatibility Shims. Retrieved June 22, 2017.
Open source URL -
[4]
mitre-attack T1546.011Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.