NorkNork – Tool for identifying Empire persistence payloads

This script was designed to identify Powershell Empire persistence payloads on Windows systems.
It currently supports checks for these persistence methods:

• Scheduled Tasks
• Auto-run
• WMI subscriptions
• Security Support provider
• Ease of Access Center backdoors
• Machine account password disable

INSTALL

git clone https://github.com/n00py/NorkNork.git

USAGE

Running the python script

PS C:\Users\>python norknork.py

Running the binary

PS C:\Users\> .\norknork.exe

Save the data into a text file

PS C:\Users\> .\norknork.exe > results.txt

Tutorial

Source: https://github.com/n00py/NorkNork