-
Notifications
You must be signed in to change notification settings - Fork 10
Recommended Open Source Projects
Scott Sutherland edited this page Feb 8, 2023
·
12 revisions
PowerHunt will not work in every environment because it requires PowerShell Remoting for data collection. Below is a list of some open source hunting projects that can help if that's the case for your environment.
| Project | Description | Link |
|---|---|---|
| PSHunt | PSHunt is a Powershell Threat Hunting Module designed to scan remote endpoints* for indicators of compromise or survey them for more comprehensive information related to state of those systems (active processes, autostarts, configurations, and/or logs). | https://github.com/Infocyte/PSHunt |
| CimSweep | CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CimSweep may also be used to engage in offensive reconnaisance without the need to drop any payload to disk. Windows Management Instrumentation has been installed and its respective service running by default since Windows XP and Windows 2000 and is fully supported in the latest versions of Windows including Windows 10, Nano Server, and Server 2016. | https://github.com/PowerShellMafia/CimSweep |
| SeatBelt | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. | https://github.com/GhostPack/Seatbelt |
| PSRecon | PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally. | https://github.com/gfoss/PSRecon |
| ThreatHunting | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts. | https://github.com/olafhartong/ThreatHunting |
| Sysmon-Modular | This is a Microsoft Sysinternals Sysmon download here configuration repository, set up modular for easier maintenance and generation of specific configs. | https://github.com/olafhartong/sysmon-modular |
| SigmaHQ | Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. | https://github.com/SigmaHQ/sigma |
| ChainSaw | Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs. | https://github.com/WithSecureLabs/chainsaw |
| Hayabusa | Hayabusa is a Windows event log fast forensics CSV timeline generator and threat hunting tool. | https://github.com/Yamato-Security/hayabusa |