NorkNork - Powershell Empire Persistence Finder

This script was designed to identify Powershell Empire persistence payloads on Windows systems.
It currently supports checks for these persistence methods:
  • Scheduled Tasks
  • Auto-run
  • WMI subscriptions
  • Security Support provider
  • Ease of Access Center backdoors
  • Machine account password disable

You can run this script with python 2.7 or by downloading the pyinstaller exe. Run the binary or the script in a powershell window.


Running the python script
PS C:\Users\>python

Running the binary
PS C:\Users\> .\norknork.exe

Save the data into a text file
PS C:\Users\> .\norknork.exe > results.txt

Q: Why didn't you just create this in powershell?
A: I was too lazy to learn powershell.
Q: Will this find all persistence methods?
A: No, only those in Powershell Emprire and only those that perist through reboots.

NorkNork - Powershell Empire Persistence Finder NorkNork - Powershell Empire Persistence Finder Reviewed by Zion3R on 11:00 AM Rating: 5