| enterprise |
T1548 |
Abuse Elevation Control Mechanism |
- |
| enterprise |
T1548.002 |
Bypass User Account Control |
ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
ShimRat communicated over HTTP and HTTPS with C2 servers. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
ShimRat has installed a registry based start-up key HKCU\Software\microsoft\windows\CurrentVersion\Run to maintain persistence should other methods fail. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
ShimRat can be issued a command shell function from the C2. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.003 |
Windows Service |
ShimRat has installed a Windows service to maintain persistence on victim machines. |
| enterprise |
T1005 |
Data from Local System |
ShimRat has the capability to upload collected files to a C2. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system. |
| enterprise |
T1546 |
Event Triggered Execution |
- |
| enterprise |
T1546.011 |
Application Shimming |
ShimRat has installed shim databases in the AppPatch folder. |
| enterprise |
T1008 |
Fallback Channels |
ShimRat has used a secondary C2 location if the first was unavailable. |
| enterprise |
T1083 |
File and Directory Discovery |
ShimRat can list directories. |
| enterprise |
T1574 |
Hijack Execution Flow |
ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files. |
| enterprise |
T1105 |
Ingress Tool Transfer |
ShimRat can download additional files. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems. |
| enterprise |
T1112 |
Modify Registry |
ShimRat has registered two registry keys for shim databases. |
| enterprise |
T1106 |
Native API |
ShimRat has used Windows API functions to install the service and shim. |
| enterprise |
T1135 |
Network Share Discovery |
ShimRat can enumerate connected drives for infected host machines. |
| enterprise |
T1027 |
Obfuscated Files or Information |
ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file. |
| enterprise |
T1027.002 |
Software Packing |
ShimRat‘s loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack. |
| enterprise |
T1090 |
Proxy |
- |
| enterprise |
T1090.002 |
External Proxy |
ShimRat can use pre-configured HTTP proxies. |
| enterprise |
T1029 |
Scheduled Transfer |
ShimRat can sleep when instructed to do so by the C2. |