NorkNork - Powershell Empire Persistence Finder
This script was designed to identify Powershell Empire persistence payloads on Windows systems.
It currently supports checks for these persistence methods:
- Scheduled Tasks
- Auto-run
- WMI subscriptions
- Security Support provider
- Ease of Access Center backdoors
- Machine account password disable
INSTALL:
You can run this script with python 2.7 or by downloading the pyinstaller exe. Run the binary or the script in a powershell window.
USAGE:
Running the python script
PS C:\Users\>python norknork.py
Running the binary
PS C:\Users\> .\norknork.exe
Save the data into a text file
PS C:\Users\> .\norknork.exe > results.txt
FAQ
Q: Why didn't you just create this in powershell?
A: I was too lazy to learn powershell.
Q: Will this find all persistence methods?
A: No, only those in Powershell Emprire and only those that perist through reboots.
NorkNork - Powershell Empire Persistence Finder
Reviewed by Zion3R
on
11:00 AM
Rating:
![NorkNork - Powershell Empire Persistence Finder](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLLiDrCjArdkRJ57_w3DWR1KgQjx5RTZ3tnQ5M3O4y2INZbPTjagueZfXCA-NMQAOvle8zVhEQzPL2pDSX4t8wC0NCCpHhzEmCW8MdQ8aI7Q9eYuKR4eLtTaIEEY__uYk6bnMkLZCzlsE/s72-c/norknork.png)