As Sh1mmer requires a USB in order to function, it is unlikely that an attacker is going to add this exploit to their toolkit. However, it is possible that an attacker may socially engineer a user into performing this exploit on their own device. From an organizational standpoint, however, the biggest risk comes from users unenrolling their devices on their own to bypass security restrictions, which would then leave their device vulnerable to further compromise. The best way to protect against this exploit being used in the environment would be to monitor for managed Chromebook devices going inactive unexpectedly and then investigating the devices. Additionally, one could monitor for connections to the Sh1mmer site or monitor process creations tied to the Chrome recovery utility.
https://www.bleepingcomputer.com/news/security/new-sh1mmer-chromebook-exploit-unenrolls-managed-devices/
