Persistence by writing/studying shellcode from Occasion Log.
Utilization
The SharpEventPersist device takes 4 case-sensitive parameters:
- -file “C:pathtoshellcode.bin”
- -instanceid 1337
- -source Persistence
- -eventlog “Key Administration Service”.
The shellcode is transformed to hex and written to the “Key Administration Service”, occasion stage is ready to “Data” and supply is “Persistence”.
Run the SharpEventLoader device to fetch shellcode from occasion log and execute it. Ideally this needs to be transformed to a DLL and sideloaded on program begin/boot.
Bear in mind to alter the Occasion Log title and instanceId within the loader, if not working with default values.
Default values will depart the next artifact:
- A brand new key will likely be written to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogKey Administration Service named “Persistance”.
- This new “Persistance” key won’t have a supplier GUID or TypesSupported which the default key “KmsRequests” have. This can be utilized to construct detections.