Search the Community

APT-Hunter is a Threat Hunting tool for windows event logs which made by the purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity. This tool will make good use of the windows event logs collected and make sure to not miss critical events configured to be detected. If you are a Threat Hunter, Incident Responder, or forensic investigator, I assure you will enjoy using this tool, why? I will discuss the reason in this article and how it will make your life easy just it made mine. Kindly note this tool is heavily tested but still a beta version and may contain bugs. if you are using APT-Hunter you will have : uncover any suspicious activity you don’t know about before it turns to a big incident . Detect APT movements in the system based on events from previous discovered APT attacks. Make a good use of the windows event logs you collected . faster attack detection which will decrease the response time in order to quickly contain and eradicate the attacks. Output configured to be compatible with timesketch so you can do time line analysis . With the important 60 use cases configured in one place you will invest your time in other data sources . Faster investigating multiple servers in short amount of time . it will help you in cases you don’t have much time to do deep investigation . Free Open source tool that will serve you without any limitation . Personally i used it in many incident and helped me uncover events i missed out and allowed me finish the investigations faster . Turn millions of events into hundreds with severity you can use as a filter. Changelog v3.0 New use cases based on new attacks and incidents. More statistics and detection for new log sources (Group Policy , SMB Client , SMB Server) Rebuilt with Multiprocessing to utilize available resources. Specify start and end date to focus on specific time period. lightning-fast Regex Hunt that go through tons of logs in minutes . New Object Access Report. New Process Execution Report. New Summary of Detection Results. New statistics sheet that include the unique powershell commands executed in the systems. New Statistics sheet for RDP client events with events SID automatically resolved to users. New Statistics sheet for executed powershell commands. Now you don’t need to bruteforce EventID 1029 hash to get username . WinRM events SID now automatically resolved to user name. New collected SID report that will provide you all the discovered SID with their user name. New scoring system for powershell detection to let you focus on important events. APT-Hunter now can handle any number or size of windows event logs. Hunting module now allow you to include specific event ID to search. Hunting module now allow you to provide a file with a list of regex [hide][Hidden Content]]