Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

FireEye Releases Open Source Persistence Toolkit ‘SharPersist’

FireEye on Tuesday announced the release of SharPersist, a free and open source Windows persistence toolkit designed for Red Teams, which help organizations test the efficiency of their protection systems and improve their security posture by assuming the role of an adversary.

FireEye on Tuesday announced the release of SharPersist, a free and open source Windows persistence toolkit designed for Red Teams, which help organizations test the efficiency of their protection systems and improve their security posture by assuming the role of an adversary.

Microsoft’s PowerShell framework has long been abused by malicious actors in their operations, but protection mechanisms implemented by software and cybersecurity vendors are making it increasingly difficult to launch PowerShell-based attacks. Moving from PowerShell to C# can help attackers evade some defenses and projects such as GhostPack provide C# implementations of PowerShell functionality known to have been used in attacks.

However, FireEye says there are no C# tools that focus on the persistence phase of an attack, which is why Mandiant’s Red Team has decided to make its SharPersist tool, which specializes in Windows persistence, available as open source on GitHub.

SharPersist is a command-line tool written in C# that can be loaded with any framework that supports reflective loading of .NET assemblies. An example provided by FireEye for loading SharPersist is Cobalt Strike’s execute-assembly functionality.

The tool has been designed with a modular architecture to allow for new persistence techniques to be added. The current version of SharPersist supports techniques involving KeePass, new or existing scheduled tasks, new Windows services, new or modified registry entries, the Startup folder, and the Tortoise SVN.

FireEye has made available detailed instructions for using SharPersist, including a blog post and a wiki page on GitHub.

“Using reflective C# to assist in various phases of the attack lifecycle is a necessity in the offensive community and persistence is no exception. Windows provides multiple techniques for persistence and there will continue to be more discovered and used by security professionals and adversaries alike,” said FireEye’s Brett Hawkins.

SharPersist is not the first tool released as open source by FireEye. In recent years it also released GoCrack for managed password cracking, GeoLogonalyzer for detecting malicious logins based on geolocation, FLASHMINGO for automating the analysis of Flash files, and the FLARE VM malware analysis toolbox.

Advertisement. Scroll to continue reading.

Related: Slack Releases Open Source Secure Development Lifecycle Tool

Related: New Open Source Tools Help Find Large Twitter Botnets

Related: NCC Group Releases Open Source DNS Rebinding Attack Tool

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.