SharpHide is just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.
The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, else HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Also Read – BurpSuite : Secret Finder Extension To Discover APIkeys/Tokens From HTTP Response
Usage
To Create hidden registry (Run) key:
SharpHide.exe action=create keyvalue=”C:\Windows\Temp\Bla.exe”
To Create a hidden registry (Run) key with parameters:
SharpHide.exe action=create keyvalue=”C:\Windows\Temp\Bla.exe” arguments=”arg1 arg2″
Delete hidden registry (Run) key:
SharpHide.exe action=delete
This tool also works with Cobalt Strike’s execute-assembly.
Credits: Cornelis de Plaa (@Cneelis) / Outflank
This repository contains tools created by yogSahare0 while learning Python 3 for ethical hacking and penetration testing.…
"NetSecChallenger" provides a suite of automated tools designed for security professionals and network administrators to…
The essential tool for cybersecurity enthusiasts! This guide provides a detailed walkthrough on how to…
Meet "Poodone," the ultimate Python script designed for cybersecurity enthusiasts and professionals alike. Packed with…
The Linux version is no longer supported! The last Linux version is 6.0 that you…
Jin is a hacking command-line tools designed to make your scan port, gathering urls, check…