Privilege Escalation, Persistence T1546.011 Application shimming via sdbinst.exe
Applicaitonshimming
Query
DeviceProcessEvents
| where ProcessVersionInfoInternalFileName =~ "sdbinst.exe"
| where not(ProcessCommandLine has_all ("-m","-bg")) | where ProcessCommandLine != @"""sdbinst.exe"" -mm"
| where ProcessCommandLine !contains "iisexpressshim.sdb"Explanation
This query is searching for instances of the utility sdbinst.exe being used to set registry keys for application shimming. It excludes certain command line arguments and a specific shim database file. The purpose of this query is to detect potential privilege escalation and persistence techniques.
