FireEye on Tuesday announced the release of SharPersist, a free and open source Windows persistence toolkit designed for Red Teams, which help organizations test the efficiency of their protection systems and improve their security posture by assuming the role of an adversary.
Microsoft’s PowerShell framework has long been abused by malicious actors in their operations, but protection mechanisms implemented by software and cybersecurity vendors are making it increasingly difficult to launch PowerShell-based attacks. Moving from PowerShell to C# can help attackers evade some defenses and projects such as GhostPack provide C# implementations of PowerShell functionality known to have been used in attacks.
However, FireEye says there are no C# tools that focus on the persistence phase of an attack, which is why Mandiant’s Red Team has decided to make its SharPersist tool, which specializes in Windows persistence, available as open source on GitHub.
SharPersist is a command-line tool written in C# that can be loaded with any framework that supports reflective loading of .NET assemblies. An example provided by FireEye for loading SharPersist is Cobalt Strike’s execute-assembly functionality.
The tool has been designed with a modular architecture to allow for new persistence techniques to be added. The current version of SharPersist supports techniques involving KeePass, new or existing scheduled tasks, new Windows services, new or modified registry entries, the Startup folder, and the Tortoise SVN.
FireEye has made available detailed instructions for using SharPersist, including a blog post and a wiki page on GitHub.
“Using reflective C# to assist in various phases of the attack lifecycle is a necessity in the offensive community and persistence is no exception. Windows provides multiple techniques for persistence and there will continue to be more discovered and used by security professionals and adversaries alike,” said FireEye’s Brett Hawkins.
SharPersist is not the first tool released as open source by FireEye. In recent years it also released GoCrack for managed password cracking, GeoLogonalyzer for detecting malicious logins based on geolocation, FLASHMINGO for automating the analysis of Flash files, and the FLARE VM malware analysis toolbox.
Related: Slack Releases Open Source Secure Development Lifecycle Tool
Related: New Open Source Tools Help Find Large Twitter Botnets
Related: NCC Group Releases Open Source DNS Rebinding Attack Tool
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
