Application Shimming and Data from Local System

Application shimming is a powerful feature that allows for backward compatibility across different versions of Windows OS. Adversaries manipulate this feature to bypass controls. They also search local file systems for files of interest. Get the skills to detect this behavior and prevent adversaries from setting up shop in your organization.

Course Content

Detection, Validation, and Mitigation (Lab)


Application Shimming and Data from Local System
What is the Data from Local System Technique?


Application Shimming and Data from Local System
What is Application Shimming?


Application Shimming and Data from Local System
Course Description

Application Shimming is a Windows process used mostly for allowing developers to apply fixes to applications in support of backward compatibility. It also creates a buffer between the application and the OS level.

Backward compatibility across different operating system versions has enabled the market to get necessary upgrades accomplished without sacrificing functionality. It’s not difficult to imagine how many more endpoints could be running Windows XP if this feature didn’t exist. However, any feature that is present on massive numbers of endpoints at the core of the operating system is likely to be a strong target for adversary actions. This is exactly where we find Application Shimming today. In addition, adversaries who gain access can search local file systems and databases for files of interest that they want to obtain in exfiltration (i.e, Data from Local System).

In this course, you will learn how to detect the abuse of application shimming with the sub-technique: Application Shimming (T1546.001) and also detect if Data from the Local System (T1005) was stolen. This interactive course will help you better understand how application shimming can be abused, as well as help you detect its operations in a SIEM solution.

By the end of this course, you should be able to:

  • Describe how an adversary could abuse application shimming to gain persistence or steal data.
  • Recommend detection measures related to application shimming and data stolen from local system
  • Recommend mitigation measures to protect against future application shimming attacks
  • Get the hands-on skills you need to detect and mitigate this attack in Cybrary's MITRE ATT&CK Framework courses aligned to the tactics and techniques used by financially motivated threat group FIN7. Prevent adversaries from accomplishing the tactics of Privilege Escalation, Persistence, and Collection in your environment now.

    This course is part of a Career Path:
    No items found.

    Instructed by

    Master Instructor
    Matthew Mullins

    Matt has led multiple Red Team engagements, ranging from a few weeks to a year and covering multiple security domains. Outside of Red Teaming, Matt is also a seasoned penetration tester with interests in: AppSec, OSINT, Hardware, Wifi, Social Engineering, and Physical Security. Matt has a Master's degree in Information Assurance and an exhaustive number of certifications ranging from frameworks, management, and hands-on hacking. Matt is a Technical SME at Cybrary, focusing on Adversarial Emulation and Red Teaming for course content.

    Owen Dubiel

    Owen is certified in the GIAC GSEC, CompTIA CySA+, and various other vendor-related certifications. He works both as a technical security engineer and as an SME architect instructor in his spare time. Spreading the word of cyber security is a passion of his. Owen lives in Southeast Michigan with his beautiful wife, daughter, and his dog, Thor. In his free time, Owen enjoys watching sports and movies, and spending time with his family.

    Cybrary Logo
    Certification Body
    Certificate of Completion

    Complete this entire course to earn a Application Shimming and Data from Local System Certificate of Completion