APT-Hunter - Threat Hunting Tool For Windows Event Logs Which Made By Purple Team Mindset To Provide Detect APT Movements Hidden In The Sea Of Windows Event Logs To Decrease The Time To Uncover Suspicious Activity


[![](https://1.bp.blogspot.com/-KsyNLrOGXtQ/YDSRDCXt4uI/AAAAAAAAVaw/0TiMPBgKYGE6iWA_IuHE_OT8g0STGzIYwCNcBGAsYHQ/w640-h564/APT-Hunter.png)](<https://1.bp.blogspot.com/-KsyNLrOGXtQ/YDSRDCXt4uI/AAAAAAAAVaw/0TiMPBgKYGE6iWA_IuHE_OT8g0STGzIYwCNcBGAsYHQ/s931/APT-Hunter.png>) APT-Hunter is [Threat Hunting](<https://www.kitploit.com/search/label/Threat%20Hunting> "Threat Hunting" ) tool for windows event logs which made by [purple team](<https://www.kitploit.com/search/label/Purple%20Team> "purple team" ) mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . this tool will make a good use of the windows event logs collected and make sure to not miss critical events configured to be detected. If you are a Threat Hunter , Incident [Responder](<https://www.kitploit.com/search/label/Responder> "Responder" ) or forensic investigator , i assure you will enjoy using this tool , why ? i will discuss the reason in this article and how it will make your life easy just it made mine . Kindly note this tool is heavily tested but still a beta version and may contain bugs . Full information about the tool and how its used in this article : [introducing-apt-hunter-threat-hunting-tool-using-windows-event-log](<https://shells.systems/introducing-apt-hunter-threat-hunting-tool-via-windows-event-log/> "introducing-apt-hunter-threat-hunting-tool-using-windows-event-log" ) **Author :** Twitter : [@ahmed_khlief](<https://twitter.com/ahmed_khlief> "@ahmed_khlief" ) Linkedin : [Ahmed Khlief](<https://www.linkedin.com/in/ahmed-khlief-499321a7> "Ahmed Khlief" ) **How to Use APT-Hunter** The first thing to do is to collect the logs if you didn’t and with [powershell](<https://www.kitploit.com/search/label/PowerShell> "powershell" ) log collectors its easy to collect the needed logs automatically you just run the powershell scripts as administrator . To collect the logs in EVTX format use : windows-log-collector-full-v3-EVTX.ps1 To collect the logs in CSV format use : windows-log-collector-full-v3-CSV.ps1 **For Windows users please use the latest release :** [Latest Release](<https://github.com/ahmedkhlief/APT-Hunter/releases> "Latest Release" ) APT-Hunter built using python3 so in order to use the tool you need to install the required libraries ( **python3.9 is not supported yet**). `python3 -m pip install -r Requirements.txt` APT-Hunter is easy to use you just use the argument -h to print help to see the options needed . ` python3 APT-Hunter.py -h` `usage: APT-Hunter.py [-h] [-p PATH] [-o OUT] [-t {csv,evtx}]` ` -h, --help show this help message and exit` ` -p PATH, --path PATH path to folder containing windows event logs generated by the APT-Hunter-Log-Collector.ps1` ` -o OUT, --out OUT output file name` ` -t {csv,evtx}, --type {csv,evtx} csv ( logs from get-eventlog or windows event log GUI or logs from Get-WinEvent ) , evtx ( EVTX extension windows event log )` ` --security SECURITY Path to Security Logs` ` --system SYSTEM Path to System Logs` ` --scheduledtask SCHEDULEDTASK Path to Scheduled Tasks Logs` ` --defender DEFENDER Path to Defender Logs` ` --powershell POWERSHELL Path to Powershell Logs` ` --powershellop POWERSHELLOP Path to Powershell Operational Logs` ` --terminal TERMINAL Path to TerminalServices LocalSessionManager Logs` ` --winrm WINRM Path to Winrm Logs` ` --sysmon SYSMON Path to Sysmon Logs` ` -p : provide path to directory containing the extracted using the powershell log collectors ( windows-log-collector-full-v3-CSV.ps1 , windows-log-collector-full-v3-EVTX.ps1 ) .` ` -o : name of the project which will be used in the generated output sheets` ` -t : the log type if its CSV or EVTX` The remaining arguments if you want to analyze single type of logs. **Exmaples :** `python3 APT-Hunter.py -t evtx -p /opt/wineventlogs/ -o Project1` `python3 APT-Hunter.py -t csv -p /opt/wineventlogs/ -o Project1` `python3 APT-Hunter.py -t evtx --security evtx/security.evtx --powershell evtx/powershell.evtx -o Project2` **The result will be available in two sheets :** Project1_Report.xlsx : this excel sheet will include all the events detected from every windows logs provided to APT-Hunter Project1_TimeSketch.csv : This CSV file you can upload it to timesketch in order to have timeline [analysis](<https://www.kitploit.com/search/label/Analysis> "analysis" ) that will help you see the full picture of the attack . **[Download APT-Hunter](<https://github.com/ahmedkhlief/APT-Hunter> "Download APT-Hunter" )**