Powershell Empire Persistence finder
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
bin Delete thing Jan 26, 2017
README.md
norknork.png
norknork.py

README.md

NorkNork - Tool for identifying Empire persistence payloads

https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/

ABOUT:

This script was designed to identify Powershell Empire persistence payloads on Windows systems.
It currently supports checks for these persistence methods:

  • Scheduled Tasks
  • Auto-run
  • WMI subscriptions
  • Security Support provider
  • Ease of Access Center backdoors
  • Machine account password disable

INSTALL:

You can run this script with python 2.7 or by downloading the pyinstaller exe. Run the binary or the script in a powershell window.

USAGE:

Running the python script

PS C:\Users\>python norknork.py

Running the binary

PS C:\Users\> .\norknork.exe

Save the data into a text file

PS C:\Users\> .\norknork.exe > results.txt

alt tag ###FAQ:

Q: Why didn't you just create this in powershell?

A: I was too lazy to learn powershell.

Q: Will this find all persistence methods?

A: No, only those in Powershell Emprire and only those that perist through reboots.