-
Notifications
You must be signed in to change notification settings - Fork 10
Home
Welcome to the PowerHunt wiki page! User and development guides can be found on the right menu, and an overview PowerHunt has been provided below.
PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell Remoting for data collection at scale.
It is designed to identify signs of compromise based on artifacts left behind by common MITRE ATT&CK techniques, and the collected data can be used to identify anomalies and outliers specific to the target environment. It was not designed to identify known bad files, domains, or IPs associated with specific APTs/malware, but I'm sure it could be extended to do that.
It supports functionality to:
- Authenticate using the current user context, a credential, or clear text user/password.
- Discover accessible systems associated with an Active Directory domain automatically.
- Target a single computer, list of computers, or discovered Active Directory computers (default).
- Collect data source information from target systems using PowerShell Remoting and easy to build collection modules.
- Analyze collected data using easy to build analysis modules based on behavior.
- Report summary data and initial insights that can help analysts get started on simple threat hunting exercises that focus on common persistence and related techniques.
This is not a novel approach to threat hunting, but I thought the project was worth sharing, because in certain environments the automation can be a time saver.
Author
Scott Sutherland (@_nullbind)
License
BSD 3-Clause