The Threat Hunter's Collection is a single PowerShell script that consolidates a diverse array of tools, a beginning to creating a comprehensive toolkit for cyber threat hunters.
This collection aims to simplify the threat hunting process by providing a single point of access to various tools, eliminating the need for tedious setup, sourcing downloads, or complex commands.
The toolkit promotes portability, allowing hunters to be creative—whether on a USB drive, as an email template, or CURL it from a repository for convenient and efficient threat hunting on the go. Explore the tools, contribute to the project, and enhance your threat hunting capabilities with the Threat Hunter's Collection.
- Host Info - Enumerate host info + stdout to an exportable .txt File
- Sysmon - Log system activity to the Windows Event Log
- DeepBlueCLI - Hunt via Sysmon & Windows Event Logs
- AutoRuns - Hunt for scheduled tasks and persistence.
- ProcMon - Hunt file system, registry, & process/thread activity
- ProcExp - Hunt DLLs Processes
- TCPView - Hunt all TCP and UDP connections
- AccessEnum - Hunt file system, registry, permissions security settings
- WizTree - Hunt file structure
- Download the single THC powershell script (Optional: You can move the script to your desktop)
- Run a powershell terminal as administrator.
- Traverse to your download folder or desktop (depending on where THC.ps1 is)
- Enable scripting by pasting this to your terminal (also found in the first line of the powershell script so you don't have to come here to copy pasta)
powershell.exe -noprofile -executionpolicy bypass -file .\THC.ps1
- [Optional] You can unrestrict for repetitive usage, then run THC.ps1
Set-ExecutionPolicy unrestricted
.\THC.ps1
- Don't forget to unrestrict when you leave
Set-ExecutionPolicy restricted
- Hunt 😎
10/14/24 - Discovered that deploying DeepBlueCLI from the main source will throw a android malware detection on your AV. This is repo is directly from the author and I don't see any changes to his repo. Regardless, please use my mirror as that was the in a good state without throwing malware detection. Weird but glad I implemented hash checking to catch it :)
To be added later.
Signatures - All downloads are checked against SHA256, if they do not match, it was either updated or compromised, use the mirror source, these mirror files are hosted here.
Sysmon - requires a few policy adjustments: enable Audit Process Creation, go straight to the screenshots
- This process will be automated in the next release
DeepBlueCLI - Aware of a few bugs
- This is being worked on..
Pro version - Remote access, EDR or other personal account bound apps
- Remote Access & EDR is the private pro version for my own use, the code is not included in this repo.
32bit - Apparently, I've come across more 32bit systems that I anticipated..
- I am incredibly disappointed that I have to accomodate for 32bit systems but that is the world we live in. I will work on including this.
Please always exercise caution, use only if authorized.
I'm a cybersecurity engineer for an primarily for the financial industry and I enjoy helping small businesses who don't always have the budget for security or assistance.
Linkedin | Discord | GitHub | Email: [email protected]
If you have any feedback for suggestions, bugs, or ideas please reach out at [email protected]