title: SharPersist Usage
id: 26488ad0-f9fd-4536-876f-52fea846a2e4
status: experimental
description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
references:
    - https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit
    - https://github.com/mandiant/SharPersist
author: Florian Roth
date: 2022/09/15
tags:
    - attack.persistence
    - attack.t1053
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith: '\SharPersist.exe'
    selection2:
        Product: 'SharPersist'
    selection3:
        CommandLine|contains:
            - ' -t schtask -c '
            - ' -t startupfolder -c '
    selection4:
        CommandLine|contains|all:
            - ' -t reg -c '
            - ' -m add'
    selection5:
        CommandLine|contains|all:
            - ' -t service -c '
            - ' -m add'
    selection6:
        CommandLine|contains|all:
            - ' -t schtask -c '
            - ' -m add'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high