-
Notifications
You must be signed in to change notification settings - Fork 10
Home
Scott Sutherland edited this page Mar 23, 2022
·
16 revisions
PowerHunt is a modular threat hunting framework written in PowerShell.
It is designed to identify signs of compromise based on artifacts left behind by common MITRE ATT&CK techniques. It is not designed identify known bad files, domains, or IPs associated with specific APTs/malware. Additionally, it supports functionality to:
- Authenticate using the current user context, a credential, or clear text user/password.
- Discover accessible systems associated with an Active Directory domain automatically.
- Target a single computer, list of computers, or discovered Active Directory computers (default).
- Collect data source information from systems using PowerShell Remoting and easy to build collection modules.
- Analyze collected data using easy to build analysis modules based on behavior.
- Report summary data and initial insights that can help analysts get started on simple threat hunting exercises that focus on common persistence and related techniques.
This is not a novel approach to threat hunting, but I thought the project was worth sharing for those who want to play with it.
User and developer guides can be found on the wiki here.
Author
Scott Sutherland (@_nullbind)
License
BSD 3-Clause