{"description": "Enterprise techniques used by ShimRat, ATT&CK software S0444 (v1.0)", "name": "ShimRat (S0444)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) communicated over HTTP and HTTPS with C2 servers.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has installed a registry based start-up key HKCU\\Software\\microsoft\\windows\\CurrentVersion\\Run to maintain persistence should other methods fail.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can be issued a command shell function from the C2.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has installed a Windows service to maintain persistence on victim machines.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has the capability to upload collected files to a C2.(Citation: FOX-IT May 2016 Mofang)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.011", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has installed shim databases in the AppPatch folder.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has used a secondary C2 location if the first was unavailable.(Citation: FOX-IT May 2016 Mofang)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can list directories.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can download additional files.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can impersonate Windows services and antivirus products to avoid detection on compromised systems.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has registered two registry keys for shim databases.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has used Windows API functions to install the service and shim.(Citation: FOX-IT May 2016 Mofang)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can enumerate connected drives for infected host machines.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[ShimRat](https://attack.mitre.org/software/S0444)'s loader has been packed with the compressed [ShimRat](https://attack.mitre.org/software/S0444) core DLL and the legitimate DLL for it to hijack.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.002", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can use pre-configured HTTP proxies.(Citation: FOX-IT May 2016 Mofang)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1029", "comment": "[ShimRat](https://attack.mitre.org/software/S0444) can sleep when instructed to do so by the C2.(Citation: FOX-IT May 2016 Mofang)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ShimRat", "color": "#66b1ff"}]}