{"id":5528,"date":"2021-03-05T01:16:01","date_gmt":"2021-03-04T17:16:01","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=5528"},"modified":"2021-03-05T01:16:15","modified_gmt":"2021-03-04T17:16:15","slug":"apt-hunter-threat-hunting-tool-via-windows-event-log","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2021\/03\/apt-hunter-threat-hunting-tool-via-windows-event-log\/","title":{"rendered":"APT-Hunter &#8211; Threat Hunting Tool via Windows Event Log"},"content":{"rendered":"<p>APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/03\/APT-Hunter-Threat-Hunting-Tool-via-Windows-Event-Log-640x331.png\" alt=\"APT-Hunter - Threat Hunting Tool via Windows Event Log\" width=\"640\" height=\"331\" class=\"aligncenter size-medium wp-image-5537\" srcset=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/03\/APT-Hunter-Threat-Hunting-Tool-via-Windows-Event-Log-640x331.png 640w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/03\/APT-Hunter-Threat-Hunting-Tool-via-Windows-Event-Log-1024x529.png 1024w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/03\/APT-Hunter-Threat-Hunting-Tool-via-Windows-Event-Log.png 1091w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/p>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>This will help you to decrease the time to uncover suspicious activity and the tool will make good use of the windows event logs collected and make sure to not miss critical events configured to be detected.<\/p>\n<p>The target audience for APT-Hunter is threat hunters, incident response professionals or forensic investigators.<\/p>\n<h2>Features of APT-Hunter Threat Hunting Tool<\/h2>\n<ul>\n<li>Provide output with time sketch format to upload it directly and start analyzing the time line<\/li>\n<li>Events Categorized based Severity to make the filtering easy and focus on what important<\/li>\n<li>Have A log collection automation script to collect all the required logs to save the time required to export important logs<\/li>\n<li>Gather and analyze (Sysmon, Security, System, Powershell, Powershell_Operational, ScheduledTask, WinRM, TerminalServices, Windows_Defender)<\/li>\n<li>This rule tested in many real incidents and provided a great information that reduced the time to detect initial evidence<\/li>\n<li>Can run on any system thanks to python3, you can do live analysis on the affected system or take the logs offline and analyze them on any system<\/li>\n<li>Log Parsing and extraction using Regex<\/li>\n<li>This tool built based on researches published on the internet and testing done by me in order to collect most of the useful use cases in one tool<\/li>\n<li>Includes more than 60 Use cases along with Security and terminal services logs statistics and more will be added soon . Say good bye to memorizing use cases and SIEM searches<\/li>\n<li>Now you don\u2019t need to setup instance of SIEM, Log collector solutions to help you parse and extract the required data nor you have to keep looking at sheet with million of events<\/li>\n<li>Log statistics that will help you uncover the anomaly<\/li>\n<li>Easy to add new detection rule as the fields clear and syntax easy to use<\/li>\n<li>Support windows event logs exported as EVTX and CSV<\/li>\n<li>Analyst can add new malicious executable names directly to list<\/li>\n<li>Provide output as excel sheet with every Log as work sheet<\/li>\n<\/ul>\n<h2>Using APT-Hunter Threat Hunting Tool<\/h2>\n<pre>\r\n# python3 APT-Hunter.py -h\r\n\r\nusage: APT-Hunter.py [-h] [-p PATH] [-o OUT] [-t {csv,evtx}]\r\n-h, --help show this help message and exit\r\n-p PATH, --path PATH path to folder containing windows event logs generated by the APT-Hunter-Log-Collector.ps1\r\n-o OUT, --out OUT output file name\r\n-t {csv,evtx}, --type {csv,evtx} csv ( logs from get-eventlog or windows event log GUI or logs from Get-WinEvent ) , evtx ( EVTX extension windows event log )\r\n--security SECURITY Path to Security Logs\r\n--system SYSTEM Path to System Logs\r\n--scheduledtask SCHEDULEDTASK Path to Scheduled Tasks Logs\r\n--defender DEFENDER Path to Defender Logs\r\n--powershell POWERSHELL Path to Powershell Logs\r\n--powershellop POWERSHELLOP Path to Powershell Operational Logs\r\n--terminal TERMINAL Path to TerminalServices LocalSessionManager Logs\r\n--winrm WINRM Path to Winrm Logs\r\n--sysmon SYSMON Path to Sysmon Logs\r\n-p : provide path to directory containing the extracted using the powershell log collectors ( windows-log-collector-full-v3-CSV.ps1 , windows-log-collector-full-v3-EVTX.ps1 ) .\r\n-o : name of the project which will be used in the generated output sheets\r\n-t : the log type if its CSV or EVTX\r\n<\/pre>\n<p>You can download APT-Hunter here:<\/p>\n<p><strong>Linux:<\/strong> <a href=\"https:\/\/github.com\/ahmedkhlief\/APT-Hunter\/releases\/download\/v1.0-beta\/APT-Hunter-nix.zip\">APT-Hunter-nix.zip<\/a><br \/>\n<strong>Windows:<\/strong> <a href=\"https:\/\/github.com\/ahmedkhlief\/APT-Hunter\/releases\/download\/v1.0-beta\/APT-Hunter_Windows.zip\">APT-Hunter_Windows.zip<\/a><br \/>\n<strong>Source:<\/strong> <a href=\"https:\/\/github.com\/ahmedkhlief\/APT-Hunter\/archive\/v1.0-beta.zip\">v1.0-beta.zip<\/a><\/p>\n<p>Or read more <a href=\"https:\/\/github.com\/ahmedkhlief\/APT-Hunter\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs. This will help you to decrease the time to uncover suspicious activity and the tool will make good use of the windows [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":5537,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"APT-Hunter - Threat Hunting Tool via Windows Event Log","_seopress_titles_desc":"APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[11],"tags":[],"featured_image_src":"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/03\/APT-Hunter-Threat-Hunting-Tool-via-Windows-Event-Log.png","featured_image_src_square":"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2021\/03\/APT-Hunter-Threat-Hunting-Tool-via-Windows-Event-Log.png","author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/5528"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=5528"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/5528\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media\/5537"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=5528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=5528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=5528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}