SharPersist v1.0.1 releases: Windows persistence toolkit written in C#
SharPersist
Windows persistence toolkit is written in C#.
Overview
SharPersist was created in order to assist with establishing persistence on Windows operating systems using a multitude of different techniques. It is a command-line tool written in C# which can be reflectively loaded with Cobalt Strike’s “execute-assembly” functionality or any other framework that supports the reflective loading of .NET assemblies. SharPersist was designed to be modular to allow new persistence techniques to be added in the future. There are also several items related to tradecraft that has been built-in to the tool and its supported persistence techniques, such as file time stomping and running applications minimized or hidden.
Techniques
- keepass: Backdoor KeePass config file
- reg: Registry key addition/modification
- schtaskbackdoor: Backdoor scheduled task with additional action
- startupfolder: LNK file in the startup folder
- tortoisesvn: Tortoise SVN hook script
- service: Creates a new service
- schtask: Create a new scheduled task
| Technique | Description | Technique Switch Name (-t) | Admin Privileges Required? | Touches Registry? | Adds/Modifies/Removes Files on Disk? |
|---|---|---|---|---|---|
| KeePass | Backdoored KeePass configuration file with malicious trigger | keepass | No | No | Yes |
| New Scheduled Task | A new scheduled task that runs a specified command | schtask | No | No | Yes |
| Registry | Registry modification | reg | No | Yes | No |
| Startup Folder | LNK file in a user-startup folder | startupfolder | No | No | Yes |
| Tortoise SVN Hook Script | Tortoise SVN hook script to execute a command when a user connects to SVN repo | tortoisesvn | No | Yes | No |
| New Service | New service that runs a specified application | service | Yes | Yes | No |
| Scheduled Task Backdoor | Adds additional action to an existing scheduled task | schtaskbackdoor | Yes | No | Yes |
Changelog v1.0.1
Fixed bugs in service persistence
-For check module, added local admin/high integrity check
-For remove module, changed the way service is removed. No longer does it just remove from registry.
-For add module, changed the way service is added so that it does not take arguments as literal file path
Copyright 2019 FireEye, Inc. Developed by Brett Hawkins
