https://github.com/n00py/norknork

Powershell Empire Persistence finder
https://github.com/n00py/norknork

Last synced: 6 days ago
JSON representation

Powershell Empire Persistence finder

• Host: GitHub
• URL: https://github.com/n00py/norknork
• Owner: n00py
• Created: 2017-01-25T23:35:30.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2017-01-30T22:23:30.000Z (about 8 years ago)
• Last Synced: 2025-04-13T22:16:44.977Z (11 days ago)
• Language: Python
• Homepage: https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/
• Size: 3.47 MB
• Stars: 119
• Watchers: 6
• Forks: 33
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# NorkNork - Tool for identifying Empire persistence payloads

https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/

## ABOUT:

This script was designed to identify Powershell Empire persistence payloads on Windows systems.  

It currently supports checks for these persistence methods:

- Scheduled Tasks

- Auto-run

- WMI subscriptions

- Security Support provider

- Ease of Access Center backdoors

- Machine account password disable

## INSTALL:

You can run this script with python 2.7 or by downloading the pyinstaller exe.  Run the binary or the script in a powershell window. 

## USAGE:

### Running the python script

```

PS C:\Users\>python norknork.py

```

### Running the binary

```

PS C:\Users\> .\norknork.exe

```

### Save the data into a text file

```

PS C:\Users\> .\norknork.exe > results.txt

```

![alt tag](https://github.com/n00py/NorkNork/blob/master/norknork.png)

###FAQ:

Q: Why didn't you just create this in powershell?

A: I was too lazy to learn powershell. 

Q: Will this find all persistence methods?

A: No, only those in Powershell Emprire and only those that perist through reboots.