Manipulating Shim and Office for Code Injection
Ron Ben-Yizhak, David Shandalov
DEF CON 32 Main Stage · Day 1 · Main Stage
This talk, "Shimmy What You Got: Manipulating Shim and Office for Code Injection," delivered by Ron Ben-Yizhak and David Shandalov of Deep Instinct, delves into novel methods for achieving code injection and privilege escalation on Windows systems. The researchers meticulously explored the often-overlooked Windows Application Compatibility Framework and its interaction with Microsoft Office, a ubiquitous and complex software suite. Their work unveils previously undocumented Remote Procedure Call (RPC) methods within Office's `Click-to-Run` service that facilitate arbitrary DLL injection.
AI review
This talk presents two distinct, highly sophisticated attack vectors: an undocumented RPC method within Microsoft Office's Click-to-Run service for arbitrary DLL injection, and a novel fileless technique for applying malicious shims. Both methods achieve privilege escalation to NT AUTHORITY\SYSTEM and demonstrate significant EDR evasion capabilities by leveraging trusted system components. The research is deeply technical, original, and provides critical insights for both offensive and defensive security practitioners, making it a must-see for anyone serious about Windows internals.