Threat Hunt Deep Dives: Application Shimming

Austin Jackson|December 10, 2020
Blog

Application Shimming is a malicious technique on Microsoft Windows operating systems in which Application Shim’s are abused to establish persistence, inject DLLs, elevate privileges, and much more. The Microsoft Windows Application Compatibility Framework can used to create Shim Database (.sdb) files that are typically used to fix software compatibility issues, however they can instead be abused for nefarious purposes.

New call-to-action

The financially-motivated threat group FIN7 (aka Carbanak Group) has been seen using Application Shimming as a means for persistence with their Pillowmint malware that targets point of sale (POS) systems. In addition, the suspected Chinese-based threat actor group known as Mofang has used Application Shimming persistence techniques with their ShimRAT malware.

Check out Cyborg Security’s Threat Hunt Deep Dives Ep. 2: Application Shimming to learn more about this technique, how it can be used for persistence, and how it can be detected.


 
Haven’t seen the first episode of Threat Hunt Deep Dives? Watch it here!

New call-to-action
Blog

Austin Jackson

Software Engineer & Security Researcher
Follow Cyborg
  • Twitter
  • linked in

DISCOVER EVEN MORE

White Paper

March 23, 2021

Living off the Land (LotL) – RDP Hijacking
Read more
White Paper

March 9, 2021

Living off the Land (LotL) – Downloading Files on Microsoft Windows
Read more
White Paper

January 21, 2021

Threat Hunt Deep Dives: Apache Struts RCE (CVE-2020-17530)
Read more

SUBSCRIBE TO OUR NEWSLETTER

Continue the Hunt
No thanks, maybe later.