From cf444398cab3f77f9b8cc7bd23e3e506621eb150 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 18:24:33 -0500 Subject: For ./Persistence/ : -PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs --- docs/Persistence/New-ElevatedPersistenceOption.md | 235 ++++++++++++++++++++++ 1 file changed, 235 insertions(+) create mode 100755 docs/Persistence/New-ElevatedPersistenceOption.md (limited to 'docs/Persistence/New-ElevatedPersistenceOption.md') diff --git a/docs/Persistence/New-ElevatedPersistenceOption.md b/docs/Persistence/New-ElevatedPersistenceOption.md new file mode 100755 index 0000000..efe215d --- /dev/null +++ b/docs/Persistence/New-ElevatedPersistenceOption.md @@ -0,0 +1,235 @@ +# New-ElevatedPersistenceOption + +## SYNOPSIS +Configure elevated persistence options for the Add-Persistence function. + +PowerSploit Function: New-ElevatedPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### PermanentWMIAtStartup +``` +New-ElevatedPersistenceOption [-PermanentWMI] [-AtStartup] +``` + +### PermanentWMIDaily +``` +New-ElevatedPersistenceOption [-PermanentWMI] [-Daily] -At +``` + +### ScheduledTaskOnIdle +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-OnIdle] +``` + +### ScheduledTaskAtLogon +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-AtLogon] +``` + +### ScheduledTaskHourly +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-Hourly] +``` + +### ScheduledTaskDaily +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-Daily] -At +``` + +### Registry +``` +New-ElevatedPersistenceOption [-Registry] [-AtLogon] +``` + +## DESCRIPTION +New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. +The output of this function is a required parameter of Add-Persistence. +Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +``` + +## PARAMETERS + +### -PermanentWMI +Persist via a permanent WMI event subscription. +This option will be the most difficult to detect and remove. + +Detection Difficulty: Difficult +Removal Difficulty: Difficult +User Detectable? +No + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIAtStartup, PermanentWMIDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ScheduledTask +Persist via a scheduled task. + +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? +No + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskAtLogon, ScheduledTaskHourly, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Registry +Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. +Note: This option will briefly pop up a PowerShell console to the user. + +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? +Yes + +```yaml +Type: SwitchParameter +Parameter Sets: Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Daily +Starts the payload daily. + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Hourly +Starts the payload hourly. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskHourly +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -At +Starts the payload at the specified time. +You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +```yaml +Type: DateTime +Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OnIdle +Starts the payload after one minute of idling. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AtLogon +Starts the payload upon any user logon. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskAtLogon, Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AtStartup +Starts the payload within 240 and 325 seconds of computer startup. + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIAtStartup +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + -- cgit v1.2.3