SharpHide is just a nice persistence trick to confuse DFIR investigation. Uses NtSetValueKey native API to create a hidden (null terminated) registry key. This works by adding a null byte in front of the UNICODE_STRING key valuename.
The tool uses the following registry path in which it creates the hidden run key: (HKCU if user, else HKLM)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Also Read – BurpSuite : Secret Finder Extension To Discover APIkeys/Tokens From HTTP Response
Usage
To Create hidden registry (Run) key:
SharpHide.exe action=create keyvalue=”C:\Windows\Temp\Bla.exe”
To Create a hidden registry (Run) key with parameters:
SharpHide.exe action=create keyvalue=”C:\Windows\Temp\Bla.exe” arguments=”arg1 arg2″
Delete hidden registry (Run) key:
SharpHide.exe action=delete
This tool also works with Cobalt Strike’s execute-assembly.
Credits: Cornelis de Plaa (@Cneelis) / Outflank
Setting a static IP address on your server is a smart move. It ensures your…
Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…
Managing user accounts is one of the most basic system administration tasks on any Linux…
Wine (short for "Wine Is Not an Emulator") is a compatibility layer that lets you run…
KVM (Kernel-based Virtual Machine) is an open-source virtualization technology built into the Linux kernel. It lets…
Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…