FireEye on Tuesday announced the release of SharPersist, a free and open source Windows persistence toolkit designed for Red Teams, which help organizations test the efficiency of their protection systems and improve their security posture by assuming the role of an adversary.
Microsoft’s PowerShell framework has long been abused by malicious actors in their operations, but protection mechanisms implemented by software and cybersecurity vendors are making it increasingly difficult to launch PowerShell-based attacks. Moving from PowerShell to C# can help attackers evade some defenses and projects such as GhostPack provide C# implementations of PowerShell functionality known to have been used in attacks.
However, FireEye says there are no C# tools that focus on the persistence phase of an attack, which is why Mandiant’s Red Team has decided to make its SharPersist tool, which specializes in Windows persistence, available as open source on GitHub.
SharPersist is a command-line tool written in C# that can be loaded with any framework that supports reflective loading of .NET assemblies. An example provided by FireEye for loading SharPersist is Cobalt Strike’s execute-assembly functionality.
The tool has been designed with a modular architecture to allow for new persistence techniques to be added. The current version of SharPersist supports techniques involving KeePass, new or existing scheduled tasks, new Windows services, new or modified registry entries, the Startup folder, and the Tortoise SVN.
“Using reflective C# to assist in various phases of the attack lifecycle is a necessity in the offensive community and persistence is no exception. Windows provides multiple techniques for persistence and there will continue to be more discovered and used by security professionals and adversaries alike,” said FireEye’s Brett Hawkins.
SharPersist is not the first tool released as open source by FireEye. In recent years it also released GoCrack for managed password cracking, GeoLogonalyzer for detecting malicious logins based on geolocation, FLASHMINGO for automating the analysis of Flash files, and the FLARE VM malware analysis toolbox.