Shims For The Win: Case study and investigative techniques for hijacked Application Compatibility Infrastructure

Presented at BruCON 0x07 (2015), Oct. 9, 2015, 5:30 p.m. (60 minutes).

Over the past year, targeted attackers have rolled out new persistence mechanisms that evade existing detection technologies. In the past six months, we've identified multiple attacks that hijack the Application Compatibility Infrastructure shim databases (SDB) for code injection. This presentation digs deeply into the attacks and techniques for detection. We'll cover technical details and implementations, specific recommendations for detection, and brand new tools for analysis. We will conclude by teaching you how to use these new investigative methods to detect artifacts of shim persistence in both large and small environments.


Presenters:

  • Willi Ballenthin
    Willi Ballenthin is a reverse engineer at FireEye who specializes in incident response and computer forensics. He can typically be found investigating intrusions at Fortune 500 companies and enjoys reverse engineering malware, developing forensic techniques, and exploring the cutting edge. Willi is the author of a number of cross-platform tools including python-registry, python-evtx, and INDXParse.py.
  • Jon Tomczak
    Jonathan Tomczak fights evil as a consultant at Mandiant, a FireEye Company. Based in the Washington DC area, Jonathan has experience in Windows forensics and software development. Jonathan has been in the security field since 2006, where he co-founded TZWorks building Windows forensics tools. In his off-time, he enjoys video games, video game development, and playing with drones.

Links:

Similar Presentations: