Privilege Escalation, Persistence T1546.011 Application shimming via sdbinst.exe
Applicationshimming
Query
DeviceProcessEvents
| where ProcessVersionInfoInternalFileName =~ "sdbinst.exe"
| where not(ProcessCommandLine has_all ("-m","-bg")) | where ProcessCommandLine != @"""sdbinst.exe"" -mm"
| where ProcessCommandLine !contains "iisexpressshim.sdb"Explanation
This query is searching for instances of the utility sdbinst.exe being used to set registry keys for application shimming. It excludes instances where the process command line includes certain parameters or the file being shimmed is iisexpressshim.sdb. The query is looking for potential privilege escalation and persistence techniques.
