Shimming - ties2/Red-Team GitHub Wiki

Shimming is a technique that is commonly used by attackers to gain persistence on a Windows system. It involves the modification of dynamic-link libraries (DLLs) in order to intercept function calls made by an application, and redirect them to a malicious DLL. By doing so, attackers can achieve a range of objectives, such as bypassing security checks, escalating privileges, and maintaining persistence on a compromised system. This essay will discuss shimming as a method of achieving permanent access on a system, including its mechanisms, types, and examples of attacks using shimming.

  • Mechanism: Shimming works by modifying the way that an application interacts with the operating system. When an application calls a function in a DLL, it first searches for the DLL in its list of known DLLs. If the DLL is found, the function is called. However, if the DLL is not found, the operating system searches for the DLL in a set of predefined locations. Attackers can use this behavior to their advantage by placing a malicious DLL in one of these locations, and modifying the search order of the application to ensure that the malicious DLL is found first.

  • Types of Shimming: There are several types of shimming that can be used to achieve different objectives, including compatibility shimming, application shimming, and module shimming.

Compatibility shimming involves modifying the way that an application interacts with the operating system to ensure that it is compatible with older versions of Windows. This is typically used to maintain compatibility with legacy applications that are no longer supported by newer versions of Windows.

Application shimming involves modifying the way that a specific application interacts with the operating system. This can be used to bypass security checks, escalate privileges, or maintain persistence on a compromised system.

Module shimming involves modifying the way that a specific DLL interacts with the operating system. This can be used to intercept function calls made by an application to the DLL, and redirect them to a malicious DLL.

  • Examples of Shimming Attacks:

There have been several notable attacks that have made use of shimming techniques, including the following:

  • Stuxnet: Stuxnet was a worm that was discovered in 2010 and was used to target Iranian nuclear facilities. It used a variety of techniques to achieve its objectives, including shimming. In particular, Stuxnet used module shimming to intercept calls made by Siemens SCADA software to a specific DLL, and redirect them to a malicious DLL. This allowed Stuxnet to gain control of the SCADA system and cause physical damage to the facilities.

  • Carbanak: Carbanak is a banking Trojan that was discovered in 2015 and was used to steal millions of dollars from banks around the world. It used a variety of techniques to achieve its objectives, including shimming. In particular, Carbanak used application shimming to bypass security checks made by banking software, and gain access to sensitive data.

  • Duqu: Duqu was a worm that was discovered in 2011 and was used to target several organizations around the world. It used a variety of techniques to achieve its objectives, including shimming. In particular, Duqu used module shimming to intercept calls made by Microsoft Word to a specific DLL, and redirect them to a malicious DLL. This allowed Duqu to gain access to sensitive data and maintain persistence on compromised systems.

Conclusion: Shimming is a powerful technique that can be used by attackers to achieve a range of objectives, including bypassing security checks, escalating privileges, and maintaining persistence on a compromised system. There are several types of shimming that can be used, including compatibility shimming, application shimming, and module shimming. There have been several notable attacks that have made use of shimming techniques, including Stuxnet, Carbanak, and Duqu. As