Skip to content
/ PowerHunt Public

PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell Remoting for data collection on scale.

License

View license
61 stars 10 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

NetSPI/PowerHunt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

318 Commits
windows/modules
windows/modules
 
 
LICENSE
LICENSE
 
 
PowerHunt.psm1
PowerHunt.psm1
 
 
README.md
README.md
 
 
Report-Template-v1.html
Report-Template-v1.html
 
 

Repository files navigation

PowerHunt

PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell Remoting for data collection at scale.

It is designed to identify signs of compromise based on artifacts left behind by common MITRE ATT&CK techniques, and the collected data can be used to identify anomalies and outliers specific to the target environment. It was not designed to identify known bad files, domains, or IPs associated with specific APTs/malware, but I'm sure it could be extended to do that.

It supports functionality to:

  • Authenticate using the current user context, a credential, or clear text user/password.
  • Discover accessible systems associated with an Active Directory domain automatically.
  • Target a single computer, list of computers, or discovered Active Directory computers (default).
  • Collect data source information from target systems using PowerShell Remoting and easy to build collection modules.
  • Analyze collected data using easy to build analysis modules based on behavior.
  • Report summary data and initial insights that can help analysts get started on simple threat hunting exercises that focus on common persistence and related techniques.

This is not a novel approach to threat hunting, but I thought the project was worth sharing, because in certain environments the automation can be a time saver.

User and developer guides can be found on the wiki here.

Author
Scott Sutherland (@_nullbind)

License
BSD 3-Clause

Primary Todo

Pending Fixes / Higher Priorities

  • Create an HTML summary report (summary for discovery(sample), collection, analysis; main page for each with dig in html files)
  • Fix groups and user collection on 2008 ps3 vs ps5 - function used are not backwards compatable
  • Fix cast error in field for wmi bindings modules
  • Update $AnalysisModuleDesc in each analysis module to include correct description.
  • Review events for potential additions https://github.com/ANSSI-FR/guide-journalisation-microsoft/blob/main/Standard_WEC_query.xml

Pending Features / Modules

Remote Collection Methods

  • WMI
  • SMB/RPC - Create Service
  • SMB/RPC - Create Scheduled Task
  • SMB/RCP - Remote registry

Artifact Collection

  • Add RDP session collection
  • Add PS remoting session collection
  • Add netsess session collection
  • Add Pcap ingestion
  • Add Drivers installed
  • Add ransomware artifcats (files/reg keys/recovery removal)

Analysis / Core

  • Add contextual LOLBAS process checks
  • Update LOLBAS list for persistence checks
  • Add https://www.loldrivers.io/ checks
  • Add parent / child rules for processes
  • Add network connection rules for processes
  • Add thresholds to all anomaly modules - make configurable.
  • Sigma rules ingestion.
  • Add hidden task hunter

Report.

  • Excludede DC option.
  • Create square chart, with color desity associated with instances per subnets/system
  • Heat map chart.
  • Timeline chart.

About

PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell Remoting for data collection on scale.

Resources

Readme

License

View license
Activity
Custom properties

Stars

61 stars

Watchers

9 watching

Forks

10 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages