SharpHide : Tool To Create Hidden Registry Keys

SharpHide is just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.

The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, else HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Also Read – BurpSuite : Secret Finder Extension To Discover APIkeys/Tokens From HTTP Response

Usage

To Create hidden registry (Run) key:

SharpHide.exe action=create keyvalue=”C:\Windows\Temp\Bla.exe”

To Create a hidden registry (Run) key with parameters:

SharpHide.exe action=create keyvalue=”C:\Windows\Temp\Bla.exe” arguments=”arg1 arg2″

Delete hidden registry (Run) key:

SharpHide.exe action=delete

This tool also works with Cobalt Strike’s execute-assembly.

Credits: Cornelis de Plaa (@Cneelis) / Outflank

R K

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

7 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

7 days ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 week ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

1 week ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

1 week ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

1 week ago