Giters

whmacmac / NorkNork

Powershell Empire Persistence finder

Home Page:https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

NorkNork - Tool for identifying Empire persistence payloads

https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/

ABOUT:

This script was designed to identify Powershell Empire persistence payloads on Windows systems.
It currently supports checks for these persistence methods:

  • Scheduled Tasks
  • Auto-run
  • WMI subscriptions
  • Security Support provider
  • Ease of Access Center backdoors
  • Machine account password disable

INSTALL:

You can run this script with python 2.7 or by downloading the pyinstaller exe. Run the binary or the script in a powershell window.

USAGE:

Running the python script

PS C:\Users\>python norknork.py

Running the binary

PS C:\Users\> .\norknork.exe

Save the data into a text file

PS C:\Users\> .\norknork.exe > results.txt

alt tag ###FAQ:

Q: Why didn't you just create this in powershell?

A: I was too lazy to learn powershell.

Q: Will this find all persistence methods?

A: No, only those in Powershell Emprire and only those that perist through reboots.

About

Powershell Empire Persistence finder

https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/

Languages

Language:Python 100.0%