Intel471-Logo-white.png

Threat Hunt Deep Dives: Application Shimming

Dec 10, 2020

Application Shimming is a malicious technique on Microsoft Windows operating systems in which Application Shim's are abused to establish persistence, inject DLLs, elevate privileges, and much more. The Microsoft Windows Application Compatibility Framework can used to create Shim Database (.sdb) files that are typically used to fix software compatibility issues, however they can instead be abused for nefarious purposes.

The financially-motivated threat group FIN7 (aka Carbanak Group) has been seen using Application Shimming as a means for persistence with their Pillowmint malware that targets point of sale (POS) systems. In addition, the suspected Chinese-based threat actor group known as Mofang has used Application Shimming persistence techniques with their ShimRAT malware.

Check out Cyborg Security’s Threat Hunt Deep Dives Ep. 2: Application Shimming to learn more about this technique, how it can be used for persistence, and how it can be detected.


Component not found for block type: video-embed

Haven't seen the first episode of Threat Hunt Deep Dives?

Watch it here!

Related Articles

FileFix
Threat Hunting//

Threat Hunting Case Study: FileFix

FileFix bypasses Mark of the Web (MotW) protections by hijacking the Windows File Explorer address bar. Here is how to hunt for it.

iablisting.jpeg
Threat Hunting//

Threat hunting case study: Detecting IAB activity

Initial access brokers sell information about or access to compromised computers. Here's how to threat hunt for a known attack behavior involving PowerShell that's used by a prolific initial access broker.

sharepoint.jpeg
Threat Hunting//

Threat hunting case study: ToolShell

In July 2025 threat actors exploited zero-day vulnerabilities in on-premises Microsoft SharePoint servers in an incident known as ToolShell. In this case study, we conduct a threat hunt for ToolShell-related activity.