Full Report
This article also appears on the Stroz Friedberg, A LevelBlue Company, blog site.
Analysis Summary
# Tool/Technique: SharpParty
## Overview
SharpParty is a C# implementation of a technique inspired by SafeBreach Labs' work, designed to demonstrate process injection capabilities for security testing and research purposes. The provided context highlights a specific use case where it was leveraged in conjunction with a registry run key persistence method, resulting in C2 beaconing.
## Technical Details
- Type: Tool/Malware Concept (Process Injection implementation)
- Platform: Windows (Implied, due to use of `msbuild.exe` and registry run keys)
- Capabilities: Process Injection, establishing C2 communication (beaconing), persistence via registry run keys.
- First Seen: Not explicitly stated, but based on SafeBreach Labs' inspiration.
## MITRE ATT&CK Mapping
The activity described primarily relates to Execution and Persistence, achieved through process manipulation.
- **TA0002 - Execution**
- T1055 - Process Injection
- *No specific sub-techniques listed in the text for the injection itself, but the outcome is process manipulation.*
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Demonstrated via setting an autorun key)
## Functionality
### Core Capabilities
- Implementation of process injection (C# based).
- Establishing command and control (C2) beacons after initial execution and subsequent logon events (persistence).
### Advanced Features
- Demonstrates evasion techniques by leveraging legitimate system tools indirectly: the secondary C2 beacon was initially flagged due to the malicious use of `msbuild.exe` in the overall execution chain.
- Potential for establishing persistence through modification of Windows Run Keys.
## Indicators of Compromise
The text focuses on the *behavior* that triggers detection rather than providing specific hardcoded IoCs for the payload itself, but provides behavioral indicators from the test:
- File Hashes: Not provided.
- File Names: Not provided.
- Registry Keys: Use of an autorun key to establish persistence.
- Network Indicators: Establishment of C2 beacons (actual domains/IPs defanged as they were not provided).
- Behavioral Indicators:
- Execution of a SharpParty payload resulting in a C2 beacon.
- Establishing persistence via registry run keys, leading to a second beacon upon re-login.
- Malicious use of `msbuild.exe` detected 30 minutes post-detonation.
## Associated Threat Actors
No specific named threat actors are explicitly associated with the release or use of this research tool in the provided text. It is presented as a research effort shared with the security community.
## Detection Methods
- **Signature-based detection:** Not emphasized as the primary detection mechanism initially.
- **Behavioral detection:** EDR eventually caught the activity, specifically alerting on the "malicious use of 'msbuild.exe' and an unspecified malicious payload in our target process."
- **YARA rules:** Not provided.
## Mitigation Strategies
- **Prevention measures:** Monitoring and restricting the creation of suspicious entries in registry Run Keys (T1547.001).
- **Hardening recommendations:** Enhancing EDR/security product tuning to minimize the Time to Detect (TTD) for complex execution chains involving legitimate tools like `msbuild.exe` loading malicious content.
## Related Tools/Techniques
- Based on work from SafeBreach Labs (Implied connection to their *PoolParty* research/tool, as SharpParty is a C# implementation of it).
- Process Injection (General Technique).