Uncommon Extension Shim Database Installation Via Sdbinst.EXE (18ee686c-38a3-4f65-9f44-48a077141f42)

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83)	Attack Pattern	Uncommon Extension Shim Database Installation Via Sdbinst.EXE (18ee686c-38a3-4f65-9f44-48a077141f42)	Sigma-Rules	1
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Application Shimming - T1546.011 (42fe883a-21ea-4cfb-b94a-78b6476dcc83)	Attack Pattern	2