Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Privilege Escalation
  4. >ATTACK-T1546.011
ATTACK-T1546.011Active

Application Shimming

Statement

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)

Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

  • <code>%WINDIR%\AppPatch\sysmain.sdb</code> and
  • <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code>

Custom databases are stored in:

  • <code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code> and
  • <code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code>

To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).

Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.

Location

Tactic
Privilege Escalation

Technique Details

Identifier
ATTACK-T1546.011
Parent Technique
ATTACK-T1546
ATT&CK Page
View on MITRE

Tactics

Privilege EscalationPersistence

Platforms

Windows

Detection

Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)

Mitigations

User Account Control: User Account Control (UAC) is a security feature in Microsoft Windows that prevents unauthorized changes to the operating system. UAC prompts users to confirm or provide administrator credentials when an action requires elevated privileges. Proper configuration of UAC reduces the risk of privilege escalation attacks. This mitigation can be implemented through the following measures:

Enable UAC Globally:

  • Ensure UAC is enabled through Group Policy by setting User Account Control: Run all administrators in Admin Approval Mode to Enabled.

Require Credential Prompt:

  • Use Group Policy to configure UAC to prompt for administrative credentials instead of just confirmation (User Account Control: Behavior of the elevation prompt).

Restrict Built-in Administrator Account:

Set Admin Approval Mode for the built-in Administrator account to Enabled in Group Policy.

Secure the UAC Prompt:

  • Configure UAC prompts to display on the secure desktop (User Account Control: Switch to the secure desktop when prompting for elevation).

Prevent UAC Bypass:

  • Block untrusted applications from triggering UAC prompts by configuring User Account Control: Only elevate executables that are signed and validated.
  • Use EDR tools to detect and block known UAC bypass techniques.

Monitor UAC-Related Events:

  • Use Windows Event Viewer to monitor for event ID 4688 (process creation) and look for suspicious processes attempting to invoke UAC elevation.

Tools for Implementation

Built-in Windows Tools:

  • Group Policy Editor: Configure UAC settings centrally for enterprise environments.
  • Registry Editor: Modify UAC-related settings directly, such as EnableLUA and ConsentPromptBehaviorAdmin.

Endpoint Security Solutions:

  • Microsoft Defender for Endpoint: Detects and blocks UAC bypass techniques.
  • Sysmon: Logs process creations and monitors UAC elevation attempts for suspicious activity.

Third-Party Security Tools:

  • Process Monitor (Sysinternals): Tracks real-time processes interacting with UAC.
  • EventSentry: Monitors Windows Event Logs for UAC-related alerts.

Update Software: Software updates ensure systems are protected against known vulnerabilities by applying patches and upgrades provided by vendors. Regular updates reduce the attack surface and prevent adversaries from exploiting known security gaps. This includes patching operating systems, applications, drivers, and firmware. This mitigation can be implemented through the following measures:

Regular Operating System Updates

  • Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance windows.
  • Use Case: Prevents exploitation of OS vulnerabilities such as privilege escalation or remote code execution.

Application Patching

  • Implementation: Monitor Apache's update release notes for security patches addressing vulnerabilities. Schedule updates for off-peak hours to avoid downtime while maintaining security compliance.
  • Use Case: Prevents exploitation of web application vulnerabilities, such as those leading to unauthorized access or data breaches.

Firmware Updates

  • Implementation: Regularly check the vendor’s website for firmware updates addressing vulnerabilities. Plan for update deployment during scheduled maintenance to minimize business disruption.
  • Use Case: Protects against vulnerabilities that adversaries could exploit to gain access to network devices or inject malicious traffic.

Emergency Patch Deployment

  • Implementation: Use the emergency patch deployment feature of the organization's patch management tool to apply updates to all affected Exchange servers within 24 hours.
  • Use Case: Reduces the risk of exploitation by rapidly addressing critical vulnerabilities.

Centralized Patch Management

  • Implementation: Implement a centralized patch management system, such as SCCM or ManageEngine, to automate and track patch deployment across all environments. Generate regular compliance reports to ensure all systems are updated.
  • Use Case: Streamlines patching processes and ensures no critical systems are missed.

Tools for Implementation

Patch Management Tools:

  • WSUS: Manage and deploy Microsoft updates across the organization.
  • ManageEngine Patch Manager Plus: Automate patch deployment for OS and third-party apps.
  • Ansible: Automate updates across multiple platforms, including Linux and Windows.

Vulnerability Scanning Tools:

  • OpenVAS: Open-source vulnerability scanning to identify missing patches.
SP 800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
SP800-53-SI-2relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Privilege Escalation
Privilege Escalation25 controls
ATTACK-T1068Exploitation for Privilege EscalationATTACK-T1546Event Triggered ExecutionATTACK-T1546.001Change Default File AssociationATTACK-T1546.002ScreensaverATTACK-T1546.003Windows Management Instrumentation Event SubscriptionATTACK-T1546.004Unix Shell Configuration ModificationATTACK-T1546.005TrapATTACK-T1546.006LC_LOAD_DYLIB AdditionATTACK-T1546.007Netsh Helper DLLATTACK-T1546.008Accessibility FeaturesATTACK-T1546.009AppCert DLLsATTACK-T1546.010AppInit DLLsATTACK-T1546.011Application ShimmingATTACK-T1546.012Image File Execution Options InjectionATTACK-T1546.013PowerShell ProfileATTACK-T1546.014EmondATTACK-T1546.015Component Object Model HijackingATTACK-T1546.016Installer PackagesATTACK-T1548Abuse Elevation Control MechanismATTACK-T1548.001Setuid and SetgidATTACK-T1548.002Bypass User Account ControlATTACK-T1548.003Sudo and Sudo CachingATTACK-T1548.004Elevated Execution with PromptATTACK-T1548.005Temporary Elevated Cloud AccessATTACK-T1611Escape to Host