PowerShell has been used by the offensive community for several years now but recent advances in the defensive security industry are causing offensive toolkits to migrate from PowerShell to reflective C# to evade modern security products. Some of these advancements include Script Block Logging, Antimalware Scripting Interface (AMSI), and the development of signatures for malicious PowerShell activity by third-party security vendors. Several public C# toolkits such as Seatbelt, SharpUp and SharpView have been released to assist with tasks in various phases of the attack lifecycle. One phase of the attack lifecycle that has been missing a C# toolkit is persistence. This post will talk about a new Windows Persistence Toolkit created by FireEye Mandiant’s Red Team called SharPersist.
During a Red Team engagement, a lot of time and effort is spent gaining initial access to an organization, so it is vital that the access is maintained in a reliable manner. Therefore, persistence is a key component in the attack lifecycle, shown in Figure 1.
Figure 1: FireEye Attack Lifecycle Diagram
Once an attacker establishes persistence on a system, the attacker will have continual access to the system after any power loss, reboots, or network interference. This allows an attacker to lay dormant on a network for extended periods of time, whether it be weeks, months, or even years. There are two key components of establishing persistence: the persistence implant and the persistence trigger, shown in Figure 2. The persistence implant is the malicious payload, such as an executable (EXE), HTML Application (HTA), dynamic link library (DLL), or some other form of code execution. The persistence trigger is what will cause the payload to execute, such as a scheduled task or Windows service. There are several known persistence triggers that can be used on Windows, such as Windows services, scheduled tasks, registry, and startup folder, and there continues to be more discovered. For a more thorough list, see the MITRE ATT&CK persistence page.
Figure 2: Persistence equation
SharPersist was created in order to assist with establishing persistence on Windows operating systems using a multitude of different techniques. It is a command line tool written in C# which can be reflectively loaded with Cobalt Strike’s “execute-assembly” functionality or any other framework that supports the reflective loading of .NET assemblies. SharPersist was designed to be modular to allow new persistence techniques to be added in the future. There are also several items related to tradecraft that have been built-in to the tool and its supported persistence techniques, such as file time stomping and running applications minimized or hidden.
SharPersist and all associated usage documentation can be found at the SharPersist FireEye GitHub page.
There are several persistence techniques that are supported in SharPersist at the time of this blog post. A full list of these techniques and their required privileges is shown in Figure 3.
Technique | Description | Technique Switch Name (-t) | Admin Privileges Required? | Touches Registry? | Adds/Modifies Files on Disk? |
KeePass | Backdoor KeePass configuration file |
keepass | No | No | Yes |
New Scheduled Task | Creates new scheduled task |
schtask | No | No | Yes |
New Windows Service | Creates new Windows service | service | Yes | Yes | No |
Registry | Registry key/value creation/modification | reg | No | Yes | No |
Scheduled Task Backdoor |
Backdoors existing scheduled task with additional action | schtaskbackdoor | Yes | No | Yes |
Startup Folder | Creates LNK file in user startup folder | startupfolder | No | No | Yes |
Tortoise SVN | Creates Tortoise SVN hook script | tortoisesvn | No | Yes | No |
Figure 3: Table of supported persistence techniques
On the SharPersist GitHub, there is full documentation on usage and examples for each persistence technique. A few of the techniques will be highlighted below.
The first technique that will be highlighted is the registry persistence. A full listing of the supported registry keys in SharPersist is shown in Figure 4.
Registry Key Code (-k) | Registry Key | Registry Value | Admin Privileges Required? | Supports Env Optional Add-On (-o env)? |
hklmrun | HKLM\Software\Microsoft\Windows\CurrentVersion\Run | User supplied | Yes | Yes |
hklmrunonce | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | User supplied | Yes | Yes |
hklmrunonceex | HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx | User supplied | Yes | Yes |
userinit | HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit | Yes | No |
hkcurun | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | User supplied | No | Yes |
hkcurunonce | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | User supplied | No | Yes |
logonscript | HKCU\Environment | UserInitMprLogonScript | No | No |
stickynotes | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | RESTART_STICKY_NOTES | No | No |
Figure 4: Supported registry keys table
In the following example, we will be performing a validation of our arguments and then will add registry persistence. Performing a validation before adding the persistence is a best practice, as it will make sure that you have the correct arguments, and other safety checks before actually adding the respective persistence technique. The example shown in Figure 5 creates a registry value named “Test” with the value “cmd.exe /c calc.exe” in the “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key.
Figure 5: Adding registry persistence
Once the persistence needs to be removed, it can be removed using the “-m remove” argument, as shown in Figure 6. We are removing the “Test” registry value that was created previously, and then we are listing all registry values in “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” to validate that it was removed.
Figure 6: Removing registry persistence
The second persistence technique that will be highlighted is the startup folder persistence technique. In this example, we are creating an LNK file called “Test.lnk” that will be placed in the current user’s startup folder and will execute “cmd.exe /c calc.exe”, shown in Figure 7.
Figure 7: Performing dry-run and adding
startup folder persistence
The startup folder persistence can then be removed, again using the “-m remove” argument, as shown in Figure 8. This will remove the LNK file from the current user’s startup folder.
Figure 8: Removing startup folder persistence
The last technique highlighted here is the scheduled task backdoor persistence. Scheduled tasks can be configured to execute multiple actions at a time, and this technique will backdoor an existing scheduled task by adding an additional action. The first thing we need to do is look for a scheduled task to backdoor. In this case, we will be looking for scheduled tasks that run at logon, as shown in Figure 9.
Figure 9: Listing scheduled tasks that
run at logon
Once we have a scheduled task that we want to backdoor, we can perform a dry run to ensure the command will successfully work and then actually execute the command as shown in Figure 10.
Figure 10: Performing dry run and adding
scheduled task backdoor persistence
As you can see in Figure 11, the scheduled task is now backdoored with our malicious action.
Figure 11: Listing backdoored scheduled task
A backdoored scheduled task action used for persistence can be removed as shown in Figure 12.
Figure 12: Removing backdoored scheduled
task action
Using reflective C# to assist in various phases of the attack lifecycle is a necessity in the offensive community and persistence is no exception. Windows provides multiple techniques for persistence and there will continue to be more discovered and used by security professionals and adversaries alike.
This tool is intended to aid security professionals in the persistence phase of the attack lifecycle. By releasing SharPersist, we at FireEye Mandiant hope to bring awareness to the various persistence techniques that are available in Windows and the ability to use these persistence techniques with C# rather than PowerShell.
Click to Open Code Editor