Application Shimming

Information

• Name: Application Shimming

• ID: T1546.011

• Tactics: TA0004, TA0003

• Technique: T1546

Introduction

Application Shimming (T1546.011) is a persistence sub-technique within the MITRE ATT&CK framework, categorized under the broader technique of Event Triggered Execution (T1546). It involves leveraging the Windows Application Compatibility framework, specifically application shims, to execute malicious payloads or maintain persistence. Application shims are typically used by Windows to allow legacy or incompatible applications to function properly by intercepting and modifying API calls. Attackers exploit this functionality by inserting malicious shim databases to execute arbitrary code, evade detection, and maintain persistence.

Deep Dive Into Technique

Application shimming leverages the legitimate Windows Application Compatibility Infrastructure, which is designed to allow older or incompatible software to run seamlessly on modern Windows operating systems. The primary mechanism involves shim databases (.sdb files), which contain compatibility fixes, API hooks, and redirection rules.

Key technical details include:

• Shim databases are created and managed using Microsoft's Application Compatibility Toolkit (ACT) or Compatibility Administrator tool.

• Shim databases (.sdb files) can be installed silently using the built-in Windows utility sdbinst.exe. For example:

  Copy

  sdbinst.exe malicious_shim.sdb

• Once installed, the shim database is registered within the Windows Registry, typically under:

  Copy

  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB

• Malicious shims typically intercept API calls made by targeted applications, redirecting execution flow to attacker-controlled payloads or DLLs.

• Attackers may leverage common shims such as RedirectEXE, InjectDLL, or VirtualRegistry to achieve persistence or privilege escalation.

• Malicious shim databases can be disguised as legitimate compatibility fixes to evade suspicion.

• The technique does not require administrator privileges if targeting user-level applications, but administrative privileges significantly expand the scope and impact.

When this Technique is Usually Used

Application shimming is commonly employed by attackers in the following scenarios and stages:

• Persistence Stage: Attackers use application shims to ensure continued access to compromised systems, even after reboots or user logouts.

• Privilege Escalation: Shims can intercept privileged applications' execution paths, potentially allowing attackers to escalate privileges.

• Defense Evasion: Attackers exploit shims to bypass detection mechanisms, as shim execution can appear legitimate and blend in with normal system behavior.

• Post-Exploitation: After initial compromise, attackers install malicious shims to maintain long-term access and facilitate lateral movement.

• Targeted Attacks and APT Operations: Advanced Persistent Threat (APT) groups often use application shimming due to its stealth and effectiveness in evading detection.

How this Technique is Usually Detected

Detecting application shimming involves monitoring for unusual shim database installations, suspicious registry modifications, and anomalous API hooking patterns. Detection methods and indicators include:

• Monitoring Shim Database Installation:

  • Track execution of sdbinst.exe utility.

  • Monitor file system activities for new .sdb files in %windir%\AppPatch\Custom.

• Registry Monitoring:

  • Monitor registry key modifications under:

    Copy

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB

  • Look for unexpected or unauthorized shim database registrations.

• Process and API Hooking Detection:

  • Use endpoint detection and response (EDR) tools to detect suspicious API hooking or DLL injection behaviors.

  • Analyze API call patterns and identify unusual redirections or injections.

• File Integrity Monitoring (FIM):

  • Implement FIM to detect unauthorized modification or addition of shim-related files in system directories.

• Event Logs and Auditing:

  • Enable and review Windows Event Logs for Application Compatibility-related events, especially installation of new shim databases.

Indicators of Compromise (IoCs):

• Suspicious .sdb files appearing in system directories.

• Unexpected registry entries pointing to unknown shim databases.

• Execution of sdbinst.exe from unusual locations or contexts.

• API hooks or DLL injections detected by advanced endpoint security tools.

Why it is Important to Detect This Technique

Early detection of application shimming is critical due to its potential impacts on system integrity, security posture, and operational continuity. The importance lies in the following possible consequences:

• Persistent Access: Attackers can maintain long-term and stealthy persistence, making remediation challenging.

• Privilege Escalation: Shims can intercept privileged applications, potentially allowing attackers to escalate privileges and gain deeper system control.

• Defense Evasion: Application shimming can bypass antivirus and endpoint security solutions by appearing as legitimate compatibility mechanisms.

• Data Exfiltration and Espionage: Persistent and stealthy access facilitates extended espionage, data theft, and intellectual property compromise.

• Operational Disruption: Malicious shims can disrupt legitimate application functionality, causing system instability or downtime.

• Increased Incident Response Complexity: Undetected shims complicate incident response efforts, increasing time and resources required for remediation.

Early detection allows organizations to mitigate these risks promptly, reduce attacker dwell time, and minimize potential damage.

Examples

Real-world examples of application shimming used in cyber-attacks include:

• FIN7 Group Attacks:

  • Attack Scenario: The FIN7 threat group leveraged malicious shim databases to intercept execution of legitimate applications, injecting malicious payloads into financial and retail sector organizations.

  • Tools Used: Malicious .sdb files, custom DLL payloads, and sdbinst.exe for silent installation.

  • Impact: Persistent access, credit card data theft, financial losses, and significant reputational damage.

• APT29 (Cozy Bear):

  • Attack Scenario: APT29 utilized application shimming techniques to maintain persistence on targeted government and diplomatic entities, intercepting execution of common applications.

  • Tools Used: Custom shim databases, API hooking, and DLL injection payloads.

  • Impact: Long-term espionage, data exfiltration, and intelligence gathering.

• Operation ShadowHammer (Supply Chain Attack):

  • Attack Scenario: Attackers compromised ASUS Live Update Utility via malicious shim databases to distribute backdoors to thousands of ASUS users.

  • Tools Used: Malicious .sdb files, DLL injection, and API hooking mechanisms.

  • Impact: Massive supply chain compromise, unauthorized access to thousands of systems, and significant brand damage.

These examples highlight the effectiveness and stealth of application shimming as a persistence and defense evasion technique, underscoring the importance of robust detection and mitigation strategies.