diff options
| author | mattifestation <mattgraeber@gmail.com> | 2014-02-23 10:31:24 -0500 |
|---|---|---|
| committer | mattifestation <mattgraeber@gmail.com> | 2014-02-23 10:35:55 -0500 |
| commit | bbd382e52a131b3e876ee145d7abd834cdfb5d0c (patch) | |
| tree | d1ee7891871135e6882a7605f540db5b0d5576b3 /Persistence/New-ElevatedPersistenceOption.ps1 | |
| parent | 28790b5a087ea8ee74668725aebe8cb71fb47642 (diff) | |
| download | PowerSploit-bbd382e52a131b3e876ee145d7abd834cdfb5d0c.tar.gz PowerSploit-bbd382e52a131b3e876ee145d7abd834cdfb5d0c.zip | |
#31 Persistence module function nouns are now singular
The function names New-UserPersistenceOption and
New-ElevatedPersistenceOptionNew-ElevatedPersistenceOption now conform
to PowerShell naming best practices.
Diffstat (limited to 'Persistence/New-ElevatedPersistenceOption.ps1')
| -rw-r--r-- | Persistence/New-ElevatedPersistenceOption.ps1 | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/Persistence/New-ElevatedPersistenceOption.ps1 b/Persistence/New-ElevatedPersistenceOption.ps1 new file mode 100644 index 0000000..42a2437 --- /dev/null +++ b/Persistence/New-ElevatedPersistenceOption.ps1 @@ -0,0 +1,170 @@ +function New-ElevatedPersistenceOption +{ +<# +.SYNOPSIS + + Configure elevated persistence options for the Add-Persistence function. + + PowerSploit Function: New-ElevatedPersistenceOption + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. + +.PARAMETER PermanentWMI + + Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. + + Detection Difficulty: Difficult + Removal Difficulty: Difficult + User Detectable? No + +.PARAMETER ScheduledTask + + Persist via a scheduled task. + + Detection Difficulty: Moderate + Removal Difficulty: Moderate + User Detectable? No + +.PARAMETER Registry + + Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. + + Detection Difficulty: Easy + Removal Difficulty: Easy + User Detectable? Yes + +.PARAMETER AtLogon + + Starts the payload upon any user logon. + +.PARAMETER AtStartup + + Starts the payload within 240 and 325 seconds of computer startup. + +.PARAMETER OnIdle + + Starts the payload after one minute of idling. + +.PARAMETER Daily + + Starts the payload daily. + +.PARAMETER At + + Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] + [Switch] + $PermanentWMI, + + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $ScheduledTask, + + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $Registry, + + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Switch] + $Daily, + + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [DateTime] + $At, + + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $OnIdle, + + [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $AtLogon, + + [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] + [Switch] + $AtStartup + ) + + $PersistenceOptionsTable = @{ + Method = '' + Trigger = '' + Time = '' + } + + switch ($PSCmdlet.ParameterSetName) + { + 'PermanentWMIAtStartup' + { + $PersistenceOptionsTable['Method'] = 'PermanentWMI' + $PersistenceOptionsTable['Trigger'] = 'AtStartup' + } + + 'PermanentWMIDaily' + { + $PersistenceOptionsTable['Method'] = 'PermanentWMI' + $PersistenceOptionsTable['Trigger'] = 'Daily' + $PersistenceOptionsTable['Time'] = $At + } + + 'ScheduledTaskAtLogon' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + + 'ScheduledTaskOnIdle' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'OnIdle' + } + + 'ScheduledTaskDaily' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'Daily' + $PersistenceOptionsTable['Time'] = $At + } + + 'Registry' + { + $PersistenceOptionsTable['Method'] = 'Registry' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + } + + $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable + $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOption' + + Write-Output $PersistenceOptions +} |