SDB
Overview
Section titled “Overview”Evidence: SDB
Description: Collect SDB
Category: System
Platform: windows
Short Name: sdb
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows Application Compatibility infrastructure uses shim databases (.sdb files) to apply compatibility fixes to applications. Custom shim databases can be created to modify application behavior, redirect file access, inject DLLs, and perform other compatibility fixes.
Attackers have abused shim databases as a persistence mechanism and to inject malicious code into legitimate processes (similar to DLL search order hijacking).
Data Collected
Section titled “Data Collected”This collector gathers structured data about sdb.
SDB Data
Section titled “SDB Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | SDB |
Type | File | File |
SourcePath | Original file path | C:\Windows\AppPatch\Custom\malicious.sdb |
Path | Relative path in evidence | Other/malicious.sdb |
Collection Method
Section titled “Collection Method”This collector collects shim database files from:
Windows\apppatch\Custom\*.sdb- Custom 32-bit shim databasesWindows\apppatch\Custom\Custom64\*.sdb- Custom 64-bit shim databasesWindows\apppatch\*.sdb- System shim databases
Forensic Value
Section titled “Forensic Value”Shim databases can reveal application compatibility fixes and potential abuse for persistence or code injection. Investigators use this data to detect malicious shim persistence (MITRE T1546.011), identify DLL injection via shims, track custom compatibility fixes, and detect application behavior modifications.