Systems and Security : Attacks, Threats, and Vulnerabilities

1.3 Application Attacks and Indicators

Driver manipulation Shimming and Refactoring

Driver manipulation refers to the alteration of system drivers to achieve a malicious outcome. Shimming and refactoring are two methods of driver manipulation.

Shimming is the process of inserting a layer between an application and the operating system to modify the behavior of the application. This can be done to modify or remove certain security features, to bypass anti-virus or other security software, or to hide the presence of malware.

Refactoring is the process of modifying an existing driver to change its behavior. This can be done to add new features, to improve performance, or to bypass security measures. Refactoring can be used to create backdoors, to bypass security controls, or to introduce new vulnerabilities into a system.

Both shimming and refactoring can be used to compromise the security of a system, and it is important to ensure that all drivers used on a system are from a trusted source and are regularly updated to fix any known vulnerabilities.

Pass the hash

Pass the hash is a technique used in cyber-attacks to steal Windows login credentials and use them to gain unauthorized access to systems and data. This technique takes advantage of the way Windows stores password hashes, which are used to authenticate users.

In a pass the hash attack, the attacker first steals the password hash from a compromised system. The attacker can then use this hash to impersonate the user and gain access to other systems and resources without having to know the actual password. This is possible because Windows uses the hash to authenticate the user, rather than the password itself.

Pass the hash attacks are particularly dangerous because they can be used to spread from system to system within a network, giving the attacker broad access to sensitive information and systems. They can also be difficult to detect, as the attacker does not need to know the actual password, and the use of stolen hashes can look like normal system activity.

To prevent pass the hash attacks, it is important to follow best practices for password management and security, such as using strong passwords, regularly changing passwords, and limiting the number of systems and accounts that use the same password. Additionally, implementing multi-factor authentication, regularly monitoring system activity, and patching systems to fix known vulnerabilities can help to reduce the risk of pass the hash attacks.