SharpEventPersist
Persistence by writing/reading shellcode from Event Log
Install / Use
/learn @improsec/SharpEventPersistREADME
SharpEventPersist
Persistence by writing/reading shellcode from Event Log.
Usage
The SharpEventPersist tool takes 4 case-sensitive parameters:
- -file "C:\path\to\shellcode.bin"
- -instanceid 1337
- -source Persistence
- -eventlog "Key Management Service".
The shellcode is converted to hex and written to the "Key Management Service", event level is set to "Information" and source is "Persistence".
Run the SharpEventLoader tool to fetch shellcode from event log and execute it. Ideally this should be converted to a DLL and sideloaded on program start/boot.
Remember to change the Event Log name and instanceId in the loader, if not running with default values.
Default values will leave the following artifact:
- A new key will be written to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service named "Persistance".
- This new "Persistance" key will not have a provider GUID or TypesSupported which the default key "KmsRequests" have. This can be used to build detections.
Related Skills
qqbot-channel
343.1kQQ 频道管理技能。查询频道列表、子频道、成员、发帖、公告、日程等操作。使用 qqbot_channel_api 工具代理 QQ 开放平台 HTTP 接口,自动处理 Token 鉴权。当用户需要查看频道、管理子频道、查询成员、发布帖子/公告/日程时使用。
docs-writer
99.7k`docs-writer` skill instructions As an expert technical writer and editor for the Gemini CLI project, you produce accurate, clear, and consistent documentation. When asked to write, edit, or revie
model-usage
343.1kUse CodexBar CLI local cost usage to summarize per-model usage for Codex or Claude, including the current (most recent) model or a full model breakdown. Trigger when asked for model-level usage/cost data from codexbar, or when you need a scriptable per-model summary from codexbar cost JSON.
ddd
Guía de Principios DDD para el Proyecto > 📚 Documento Complementario : Este documento define los principios y reglas de DDD. Para ver templates de código, ejemplos detallados y guías paso
