AutoRuns icon indicating copy to clipboard operation
AutoRuns copied to clipboard

Published 20 hours ago • verified publisher icon p0w3rsh3ll

DEV: list application shims

Open p0w3rsh3ll opened this issue 7 years ago • 0 comments

Steps to reproduce

dir  c:\windows\AppPatch\sysmain.sdb
dir "hklm:\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb"

# Custom databases are stored in:
dir C:\windows\AppPatch\custom
dir c:\windows\AppPatch\AppPatch64\Custom
dir "hklm:\software\microsoft\windows nt\currentversion\appcompatflags\custom"

Expected behavior

List if any

Actual behavior

See https://www.redcanary.com/blog/detecting-application-shimming/

They are considered as a persistence mechanism https://attack.mitre.org/wiki/Technique/T1138

Environment data

> $PSVersionTable
Name                           Value
----                           -----
PSVersion                      5.1.16299.248
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.16299.248
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

p0w3rsh3ll avatar Feb 21 '18 14:02 p0w3rsh3ll