Skip to content
Scott Sutherland edited this page Mar 23, 2022 · 16 revisions

PowerHunt

PowerHunt is a modular threat hunting framework written in PowerShell.

It is designed to identify signs of compromise based on artifacts left behind by common MITRE ATT&CK techniques. It is not designed identify known bad files, domains, or IPs associated with specific APTs/malware. Additionally, it supports functionality to:

  • Authenticate using the current user context, a credential, or clear text user/password.
  • Discover accessible systems associated with an Active Directory domain automatically.
  • Target a single computer, list of computers, or discovered Active Directory computers (default).
  • Collect data source information from systems using PowerShell Remoting and easy to build collection modules.
  • Analyze collected data using easy to build analysis modules based on behavior.
  • Report summary data and initial insights that can help analysts get started on simple threat hunting exercises that focus on common persistence and related techniques.

This is not a novel approach to threat hunting, but I thought the project was worth sharing for those who want to play with it.
User and developer guides can be found on the wiki here.

Author
Scott Sutherland (@_nullbind)

License
BSD 3-Clause