Application Shimming is a malicious technique on Microsoft Windows operating systems in which Application Shim’s are abused to establish persistence, inject DLLs, elevate privileges, and much more. The Microsoft Windows Application Compatibility Framework can used to create Shim Database (.sdb) files that are typically used to fix software compatibility issues, however they can instead be abused for nefarious purposes.
The financially-motivated threat group FIN7 (aka Carbanak Group) has been seen using Application Shimming as a means for persistence with their Pillowmint malware that targets point of sale (POS) systems. In addition, the suspected Chinese-based threat actor group known as Mofang has used Application Shimming persistence techniques with their ShimRAT malware.
Check out Cyborg Security’s Threat Hunt Deep Dives Ep. 2: Application Shimming to learn more about this technique, how it can be used for persistence, and how it can be detected.
Haven’t seen the first episode of Threat Hunt Deep Dives? Watch it here!