This script was designed to identify Powershell Empire persistence payloads on Windows systems.

It currently supports checks for these persistence methods:

Scheduled Tasks

Auto-run

WMI subscriptions

Security Support provider

Ease of Access Center backdoors

Machine account password disable

You can run this script with python 2.7 or by downloading the pyinstaller exe. Run the binary or the script in a powershell window.

Running the python script

PS C:\Users\>python norknork.py

Running the binary

PS C:\Users\> .

orknork.exe

Save the data into a text file