Threat Hunt Deep Dives: Application Shimming

Austin Jackson|December 10, 2020
Blog

Application Shimming is a malicious technique on Microsoft Windows operating systems in which Application Shim’s are abused to establish persistence, inject DLLs, elevate privileges, and much more. The Microsoft Windows Application Compatibility Framework can used to create Shim Database (.sdb) files that are typically used to fix software compatibility issues, however they can instead be abused for nefarious purposes.

New call-to-action

The financially-motivated threat group FIN7 (aka Carbanak Group) has been seen using Application Shimming as a means for persistence with their Pillowmint malware that targets point of sale (POS) systems. In addition, the suspected Chinese-based threat actor group known as Mofang has used Application Shimming persistence techniques with their ShimRAT malware.

Check out Cyborg Security’s Threat Hunt Deep Dives Ep. 2: Application Shimming to learn more about this technique, how it can be used for persistence, and how it can be detected.


 
Haven’t seen the first episode of Threat Hunt Deep Dives? Watch it here!

New call-to-action
Blog

Austin Jackson

Software Engineer & Security Researcher
Follow Cyborg
  • Twitter
  • linked in

DISCOVER EVEN MORE

White Paper

January 21, 2021

Threat Hunt Deep Dives: Apache Struts RCE (CVE-2020-17530)
Read more
White Paper

January 7, 2021

Hunting for Persistence: Registry Run Keys / Startup Folder
Read more
White Paper

December 15, 2020

Threat Hunt Deep Dives: SolarWinds’ Supply-Chain Compromise (Solorigate / SUNBURST Backdoor)
Read more

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.