Full Report
This article originally appeared on the Stroz Freidberg, A LevelBlue Company, blog site.
Analysis Summary
# Tool/Technique: SharpParty
## Overview
SharpParty is a custom tool developed in C# that implements process injection capabilities, inspired by the work on "PoolParty" by SafeBreach Labs. Its primary purpose is likely to demonstrate or test process injection techniques, especially in an environment where threat actors might leverage native .NET capabilities. The provided context details a successful initial execution and establishment of command and control (C2) beacons, followed by detection via an Endpoint Detection and Response (EDR) tool targeting a specific execution behavior.
## Technical Details
- Type: Tool
- Platform: Windows (Implied by usage of `msbuild.exe` and Windows persistence mechanisms like registry run keys)
- Capabilities: Process injection, establishing C2 beacons, persistence via registry run keys.
- First Seen: Not explicitly stated, but derived from open-sourcing following prior research ("PoolParty").
## MITRE ATT&CK Mapping
Based on the observed behavior (process injection and persistence):
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Implied execution chain)
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Demonstrated via registry run key test case)
- **TA0004 - Privilege Escalation**
- T1055 - Process Injection
- T1055.001 - Dynamic-link Library Injection (Common method for injection, but specific method is not detailed)
## Functionality
### Core Capabilities
- Execution of a malicious payload via self-contained C# code.
- Establishing outbound command-and-control (C2) sessions (beacons).
- Demonstration of persistence by configuring an auto-run registry key.
### Advanced Features
- **Process Injection:** The core functionality derived from the underlying "PoolParty" concept, enabling arbitrary code execution within a legitimate process space.
- **Evading Initial Detection:** The initial execution and beaconing evaded immediate EDR detection, highlighting the technique's potency before ancillary behaviors were flagged.
## Indicators of Compromise
*Note: Specific hashes, file names, and C2 addresses are not provided in the summary text.*
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: Autorun key configured to execute the SharpParty payload upon user logon.
- Network Indicators: Established C2 beacons are generated. (Defanged example format: `c2[.]example[.]com`)
- Behavioral Indicators:
- Initial execution followed by secondary beacon communication.
- Malicious use of `msbuild.exe` detected by EDR after a 30-minute delay.
- Payload injected into a target process.
## Associated Threat Actors
- The tool was developed and open-sourced by researchers at Stroz Friedberg/LevelBlue for testing and knowledge sharing. (No specific threat actor group usage is explicitly linked in the summary).
## Detection Methods
- **Signature-based detection:** Not explicitly mentioned as the primary detection method, but EDR eventually caught the process execution.
- **Behavioral detection:** The EDR ultimately flagged the *malicious use of `msbuild.exe`* and the *malicious payload in the target process* about 30 minutes post-detonation.
- **YARA rules:** [Not provided]
## Mitigation Strategies
- **Prevention Measures:** Monitoring and blocking suspicious process injection attempts.
- **Hardening Recommendations:** Implementing application control or whitelisting to restrict the execution of potentially malicious binaries or scripts used in the execution chain (e.g., unintended executions of `msbuild.exe` for malicious purposes).
- **Timely Detection:** Reducing the latency between execution and detection (the observed 30-minute gap is critical for threat actors to pivot).
## Related Tools/Techniques
- **PoolParty:** The reported inspiration for SharpParty, indicating similar process injection functionality.
- **Process Injection Techniques (T1055):** General category of techniques SharpParty leverages.