Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

FireEye Releases Open Source Persistence Toolkit ‘SharPersist’

FireEye on Tuesday announced the release of SharPersist, a free and open source Windows persistence toolkit designed for Red Teams, which help organizations test the efficiency of their protection systems and improve their security posture by assuming the role of an adversary.

FireEye on Tuesday announced the release of SharPersist, a free and open source Windows persistence toolkit designed for Red Teams, which help organizations test the efficiency of their protection systems and improve their security posture by assuming the role of an adversary.

Microsoft’s PowerShell framework has long been abused by malicious actors in their operations, but protection mechanisms implemented by software and cybersecurity vendors are making it increasingly difficult to launch PowerShell-based attacks. Moving from PowerShell to C# can help attackers evade some defenses and projects such as GhostPack provide C# implementations of PowerShell functionality known to have been used in attacks.

However, FireEye says there are no C# tools that focus on the persistence phase of an attack, which is why Mandiant’s Red Team has decided to make its SharPersist tool, which specializes in Windows persistence, available as open source on GitHub.

SharPersist is a command-line tool written in C# that can be loaded with any framework that supports reflective loading of .NET assemblies. An example provided by FireEye for loading SharPersist is Cobalt Strike’s execute-assembly functionality.

The tool has been designed with a modular architecture to allow for new persistence techniques to be added. The current version of SharPersist supports techniques involving KeePass, new or existing scheduled tasks, new Windows services, new or modified registry entries, the Startup folder, and the Tortoise SVN.

FireEye has made available detailed instructions for using SharPersist, including a blog post and a wiki page on GitHub.

“Using reflective C# to assist in various phases of the attack lifecycle is a necessity in the offensive community and persistence is no exception. Windows provides multiple techniques for persistence and there will continue to be more discovered and used by security professionals and adversaries alike,” said FireEye’s Brett Hawkins.

SharPersist is not the first tool released as open source by FireEye. In recent years it also released GoCrack for managed password cracking, GeoLogonalyzer for detecting malicious logins based on geolocation, FLASHMINGO for automating the analysis of Flash files, and the FLARE VM malware analysis toolbox.

Advertisement. Scroll to continue reading.

Related: Slack Releases Open Source Secure Development Lifecycle Tool

Related: New Open Source Tools Help Find Large Twitter Botnets

Related: NCC Group Releases Open Source DNS Rebinding Attack Tool

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...