Skip to content
Scott Sutherland edited this page Mar 23, 2022 · 16 revisions

PowerHunt

PowerHunt is a modular hunting framework written in PowerShell designed to:

  • Identify signs of compromise based on artifacts left behind by common MITRE ATT&CK techniques. It is not designed for identifying known bad files/domains/IPs associated with specific APTs/malware. However, it would be easy to write modules for that. ;)
  • Discover accessible systems associated with a Active Directory domain automatically.
  • Target a single computer, list of computers, or discovered Active Directory computers.
  • Collect data source information from systems using PowerShell Remoting and easy to build collection modules.
  • Analyze collected data using easy to build analysis modules based on behavior.
  • Report summary data and initial insights that can help analysts get started on simple threat hunting exercises that focus on common persistence and related techniques.

This is not a novel approach to hunting, but I thought the project was worth sharing for those who want to play with it. User and developer guides can be found on the wiki here.

Author
Scott Sutherland (@_nullbind)

License
BSD 3-Clause