APT Hunter

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

1257
238
Python

APT-Hunter

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . APT-Hunter use pre-defined detection rules and focus on statistics to uncover abnormalities which is very effective in compromise assessment . the output produced with timeline that can be analyzed directly from Excel , Timeline Explorer , Timesketch , etc…

Full information about the tool and how its used in this article : introducing-apt-hunter-threat-hunting-tool-using-windows-event-log

New Release Info : APT-HUNTER V3.0 : Rebuilt with Multiprocessing and new cool features

Author

Twitter : @ahmed_khlief

Linkedin : Ahmed Khlief

Donwload APT-Hunter :

Download the latest stable version of APT-Hunter with compiled binaries from Releases page.

How to Use APT-Hunter

APT-Hunter built using python3 so in order to use the tool you need to install the required libraries.

python3 -m pip install -r requirements.txt

APT-Hunter is easy to use you just use the argument -h to print help to see the options needed .

python3 APT-Hunter.py -h

APT-Hunter Help

APT-Hunter Analyzing with all report

APT-Hunter commandline output

APT-Hunter Excel Output

APT-Hunter CSV Output with Time Sketch

Exmaples :

Analyzing EVTX files , you can provide directory containing the logs or single file , APT hunter will detect the type of logs .

python3 APT-Hunter.py -p /opt/wineventlogs/ -o Project1 -allreport

Adding time frame to focus on specific timeline :

python3 APT-Hunter.py -p /opt/wineventlogs/ -o Project1 -allreport -start 2022-04-03 -end 2022-04-05T20:56

Hunting using String or regex :

python3 APT-Hunter.py -hunt "psexec" -p /opt/wineventlogs/ -o Project2

python3 APT-Hunter.py -huntfile "(psexec|psexesvc)" -p /opt/wineventlogs/ -o Project2

hunting using file that contain list of regex :

python3 APT-Hunter.py -huntfile "huntfile.txt)" -p /opt/wineventlogs/ -o Project2

Hunting using sigma rules :

python3 APT-Hunter.py -sigma -rules rules.json -p /opt/wineventlogs/ -o Project2

Getting Latest sigma rules converted for APT-Hunter ( output will be a file with name rules.json that contain the rules from Sigma repository Sigma ):

Get_Latest_Sigma_Rules.sh

Output Samples

APT-Hunter CSV Output : This CSV file you can upload it to timesketch in order to have timeline analysis that will help you see the full picture of the attack .

APT-Hunter Excel Output : this excel sheet will include all the events detected from every windows logs provided to APT-Hunter.

APT-Hunter Success and Failed logon Report : ALl logon events with parsed fields (Date, User , Source IP , Logon Process , Workstation Name , Logon Type , Device Name , Original Log ) as columns.

APT-Hunter Process Execution Report : all process execution captured from the event logs.

APT-Hunter Object Access Report : all object access captured from Event (4663) .

APT-Hunter Collected SID Report : Collected Users with their SID list to help you in the investigation.

APT-Hunter EventID Frequency Report : EventID frequency analysis report.

Credits :

I would like to thank Joe Maccry for his amazing contribution in Sysmon use cases ( more than 100 use cases added by Joe )