Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

FireEye Releases Open Source Persistence Toolkit ‘SharPersist’

FireEye on Tuesday announced the release of SharPersist, a free and open source Windows persistence toolkit designed for Red Teams, which help organizations test the efficiency of their protection systems and improve their security posture by assuming the role of an adversary.

FireEye on Tuesday announced the release of SharPersist, a free and open source Windows persistence toolkit designed for Red Teams, which help organizations test the efficiency of their protection systems and improve their security posture by assuming the role of an adversary.

Microsoft’s PowerShell framework has long been abused by malicious actors in their operations, but protection mechanisms implemented by software and cybersecurity vendors are making it increasingly difficult to launch PowerShell-based attacks. Moving from PowerShell to C# can help attackers evade some defenses and projects such as GhostPack provide C# implementations of PowerShell functionality known to have been used in attacks.

However, FireEye says there are no C# tools that focus on the persistence phase of an attack, which is why Mandiant’s Red Team has decided to make its SharPersist tool, which specializes in Windows persistence, available as open source on GitHub.

SharPersist is a command-line tool written in C# that can be loaded with any framework that supports reflective loading of .NET assemblies. An example provided by FireEye for loading SharPersist is Cobalt Strike’s execute-assembly functionality.

The tool has been designed with a modular architecture to allow for new persistence techniques to be added. The current version of SharPersist supports techniques involving KeePass, new or existing scheduled tasks, new Windows services, new or modified registry entries, the Startup folder, and the Tortoise SVN.

FireEye has made available detailed instructions for using SharPersist, including a blog post and a wiki page on GitHub.

“Using reflective C# to assist in various phases of the attack lifecycle is a necessity in the offensive community and persistence is no exception. Windows provides multiple techniques for persistence and there will continue to be more discovered and used by security professionals and adversaries alike,” said FireEye’s Brett Hawkins.

SharPersist is not the first tool released as open source by FireEye. In recent years it also released GoCrack for managed password cracking, GeoLogonalyzer for detecting malicious logins based on geolocation, FLASHMINGO for automating the analysis of Flash files, and the FLARE VM malware analysis toolbox.

Advertisement. Scroll to continue reading.

Related: Slack Releases Open Source Secure Development Lifecycle Tool

Related: New Open Source Tools Help Find Large Twitter Botnets

Related: NCC Group Releases Open Source DNS Rebinding Attack Tool

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.