APT-Hunter is Threat Hunting tool for windows event logs

Overview

APT-Hunter

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . this tool will make a good use of the windows event logs collected and make sure to not miss critical events configured to be detected. If you are a Threat Hunter , Incident Responder or forensic investigator , i assure you will enjoy using this tool , why ? i will discuss the reason in this article and how it will make your life easy just it made mine . Kindly note this tool is heavily tested but still a beta version and may contain bugs .

Full information about the tool and how its used in this article : introducing-apt-hunter-threat-hunting-tool-using-windows-event-log

Author :

Twitter : @ahmed_khlief

Linkedin : Ahmed Khlief

How to Use APT-Hunter

The first thing to do is to collect the logs if you didn’t and with powershell log collectors its easy to collect the needed logs automatically you just run the powershell scripts as administrator .

To collect the logs in EVTX format use : windows-log-collector-full-v3-EVTX.ps1

To collect the logs in CSV format use : windows-log-collector-full-v3-CSV.ps1

For Windows users please use the latest release : Latest Release

APT-Hunter built using python3 so in order to use the tool you need to install the required libraries ( python3.9 is not supported yet).

python3 -m pip install -r Requirements.txt

APT-Hunter is easy to use you just use the argument -h to print help to see the options needed .

python3 APT-Hunter.py -h

usage: APT-Hunter.py [-h] [-p PATH] [-o OUT] [-t {csv,evtx}]

-h, --help show this help message and exit

-p PATH, --path PATH path to folder containing windows event logs generated by the APT-Hunter-Log-Collector.ps1

-o OUT, --out OUT output file name

-t {csv,evtx}, --type {csv,evtx} csv ( logs from get-eventlog or windows event log GUI or logs from Get-WinEvent ) , evtx ( EVTX extension windows event log )

--security SECURITY Path to Security Logs

--system SYSTEM Path to System Logs

--scheduledtask SCHEDULEDTASK Path to Scheduled Tasks Logs

--defender DEFENDER Path to Defender Logs

--powershell POWERSHELL Path to Powershell Logs

--powershellop POWERSHELLOP Path to Powershell Operational Logs

--terminal TERMINAL Path to TerminalServices LocalSessionManager Logs

--winrm WINRM Path to Winrm Logs

--sysmon SYSMON Path to Sysmon Logs

-p : provide path to directory containing the extracted using the powershell log collectors ( windows-log-collector-full-v3-CSV.ps1 , windows-log-collector-full-v3-EVTX.ps1 ) .

-o : name of the project which will be used in the generated output sheets

-t : the log type if its CSV or EVTX

The remaining arguments if you want to analyze single type of logs.

Exmaples :

python3 APT-Hunter.py -t evtx -p /opt/wineventlogs/ -o Project1

python3 APT-Hunter.py -t csv -p /opt/wineventlogs/ -o Project1

python3 APT-Hunter.py -t evtx --security evtx/security.evtx --powershell evtx/powershell.evtx -o Project2

The result will be available in two sheets :

Project1_Report.xlsx : this excel sheet will include all the events detected from every windows logs provided to APT-Hunter

Project1_TimeSketch.csv : This CSV file you can upload it to timesketch in order to have timeline analysis that will help you see the full picture of the attack .

Comments
  • EVTX-ATTACK-SAMPLES

    EVTX-ATTACK-SAMPLES

    Hi, first of all an awesome job. I've been trying to use https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES for testing but unfortunately I was not able to do it. What would be the correct approach, if possible at all? Thanks a lot.

    opened by V0lundr 5
  • Can't install Requirements

    Can't install Requirements

    I installed python 3.9 on my Windows 10 Pro machine (only this fresh install of python, no other languages installed). When executing the command python -m pip install -r Requirements.txt I get the error listed below. I had run the command 2x, I assume this is why it says it references "cached"

    Collecting netaddr Using cached netaddr-0.8.0-py2.py3-none-any.whl (1.9 MB) Collecting evtx Using cached evtx-0.6.8.tar.gz (2.2 kB) ERROR: Command errored out with exit status 1: command: 'C:\Users\XXXXX\AppData\Local\Programs\Python\Python39\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py'"'"'; file='"'"'C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base 'C:\Users\XXXXX\AppData\Local\Temp\pip-pip-egg-info-yy_8dz2x' cwd: C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx
    Complete output (5 lines): Traceback (most recent call last): File "", line 1, in File "C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py", line 5, in from setuptools_rust import RustExtension ModuleNotFoundError: No module named 'setuptools_rust'

    Note that I am running the command in an elevated command prompt.

    Thank you for any assistance.

    opened by brohan 4
  • File path does not exist

    File path does not exist

    I am trying this out during post-mortem forensics.

    I copy all .evtx files out of my images into a folder and then run APT-Hunter against all the files in the folder.

    Only the System and Security Events parse and I receive the following errors running the following command: .\APT-Hunter.exe -t evtx -p I:\Evidence\Case\EVTX\Dc1\ -o Case-Dc1

    Error Analyzing Security logs: File Path Does Not Exist Error Analyzing System logs : File Path Does Not Exist Error Analyzing Powershell Operational logs : File Path Does Not Exist Error Analyzing Powershell logs : File Path Does Not Exist Error Analyzing TerminalServices LocalSessionManager logs: File Path Does Not Exist Error Analyzing Scheduled Task logs : File Path Does Not Exist Error Analyzing Windows Defender logs : File Path Does Not Exist Error Analyzing WinRM logs : File Path Does Not Exist Error Analyzing Sysmon logs

    Does it have anything to do with the the filenames from the OS? Microsoft-Windows-PowerShell%4Admin.evtx Microsoft-Windows-PowerShell%4Operational.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx Microsoft-Windows-Windows Defender%4Operational.evtx Microsoft-Windows-Windows Defender%4WHC.evtx

    opened by clive7391 3
  • Requirements Issue

    Requirements Issue

    I am trying to install the requirements on Win 10, I have installed Python3 + Rust but keep encountering this error -

    I installed Rust using - pip install setuptools-rust - & the rustup-init.exe but still keep getting this -

    ERROR: Failed building wheel for evtx Running setup.py clean for evtx Failed to build evtx Installing collected packages: evtx, netaddr, numpy, six, python-dateutil, pytz, pandas, XlsxWriter Running setup.py install for evtx ... error ERROR: Command errored out with exit status 1: command: 'C:\Users\user\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"'; file='"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'C:\Users\user\AppData\Local\Temp\pip-record-03gi9t6z\install-record.txt' --single-version-externally-managed --user --prefix= --compile --install-headers 'C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Include\evtx' cwd: C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx
    Complete output (42 lines): running install running build running build_ext running build_rust error: manifest path Cargo.toml does not exist Traceback (most recent call last): File "", line 1, in File "C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py", line 21, in setup( File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\site-packages\setuptools_init_.py", line 165, in setup return distutils.core.setup(**attrs) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\core.py", line 148, in setup dist.run_commands() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 966, in run_commands self.run_command(cmd) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\site-packages\setuptools\command\install.py", line 61, in run return orig.install.run(self) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\command\install.py", line 546, in run self.run_command('build') File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\command\build.py", line 135, in run self.run_command(cmd_name) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\setuptools_ext.py", line 23, in run build_rust.run() File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\build.py", line 357, in run self.build_extension(ext) File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\build.py", line 120, in build_extension metadata = json.loads(check_output(metadata_command).decode("utf-8")) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\subprocess.py", line 420, in check_output return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\subprocess.py", line 524, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['cargo', 'metadata', '--manifest-path', 'Cargo.toml', '--format-version', '1']' returned non-zero exit status 101. ---------------------------------------- ERROR: Command errored out with exit status 1: 'C:\Users\user\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"'; file='"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'C:\Users\user\AppData\Local\Temp\pip-record-03gi9t6z\install-record.txt' --single-version-externally-managed --user --prefix= --compile --install-headers 'C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Include\evtx' Check the logs for full command output.

    opened by hackjalstead 3
  • Missing `setuptools_rust` from requirements

    Missing `setuptools_rust` from requirements

    Hi! When launching a dry run to install requirements, it misses the setuptools_rust.

    (.env) ~/APT-Hunter >>> pip install -r Requirements.txt                                                                                                                       ±[main]
    Collecting evtx
      Downloading evtx-0.6.8.tar.gz (2.2 kB)
        ERROR: Command errored out with exit status 1:
         command: /home/xxx/APT-Hunter/.env/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py'"'"'; __file__='"'"'/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-nk2jwvmk
             cwd: /tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/
        Complete output (5 lines):
        Traceback (most recent call last):
          File "<string>", line 1, in <module>
          File "/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py", line 5, in <module>
            from setuptools_rust import RustExtension
        ModuleNotFoundError: No module named 'setuptools_rust'
        ----------------------------------------
    ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    

    Thanks, the tool looks awesome!

    opened by evilcel3ri 3
  • Seeing the following error .

    Seeing the following error .

    root@kali:/home/kali/Desktop/APT-Hunter# python3 -m pip install -r requirements.txt Collecting evtx Using cached evtx-0.6.8.tar.gz (2.2 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-7w2zav_u cwd: /tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/33/18/b32715bae61c4fe6a7cdb79aafccb0d4797a1bfef028e9689197af214966/evtx-0.6.8.tar.gz#sha256=414507b79fe997a35fbf05ae57dd2f55a7acfc669b19d9125a894ffe40dbeade (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.3.0.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-xfau9bd2 cwd: /tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/2d/fe/f207c57f183d07aa405679019ec37193dacdb25cd814f185f7b817915101/evtx-0.3.0.tar.gz#sha256=1ce5fde2b9df791af5e72c9c28d0a85b7a41ac36b2dcf34522ce909379d49509 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.7.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-b70tzy4y cwd: /tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/80/01/7778d9c3a33f40f108da547fb518f86da9a9afe13bd43c15c42b029e4d64/evtx-0.2.7.tar.gz#sha256=4e60da0ac63c51d3065952f45e3b865b161e6e3f0e17adf2f3300b18f6f399e8 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.6.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-7ficjdna cwd: /tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/a5/4e/5dfd9ad96e7bbe29e3c6e8f380175d6382722d4306547f34e40e33d022b7/evtx-0.2.6.tar.gz#sha256=5c9a1a988e28a128abf539fdb6c2ae08f6ea2f3e15d534f10362edf597bcd1a8 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.5.tar.gz (1.4 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-753zlwh6 cwd: /tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/11/4c/13588de4d88a437e00a10653969b86b886cb1db22a7a758729edd4ed2ac8/evtx-0.2.5.tar.gz#sha256=ab7c61b01d6723b2da5fa192faf12cc82bc54b4a3a9ee338aff665cd7f29cf33 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    ERROR: Could not find a version that satisfies the requirement evtx ERROR: No matching distribution found for evtx

    opened by krisz-bot 2
  • Adding pandas and xlsxwriter to reqs + Fix date in PasswordSpray detection

    Adding pandas and xlsxwriter to reqs + Fix date in PasswordSpray detection

    When launching a dry run, I noticed some libraries were missing. This PR adds them in the requirements.txt.

    It also adds a fix for the PasswordSpray detection which used to use datetime.now instead of the actual date in the log file.

    opened by evilcel3ri 2
  •  Error Analyzing Powershell Operational logs - list index out of range

    Error Analyzing Powershell Operational logs - list index out of range

    Description: Kali GNU/Linux Rolling Release: 2021.3 Codename: kali-rolling Python Verison: Python 3.9.7

    Error Analyzing Powershell Operational logs 
    ERROR:root:Traceback (most recent call last):
      File "/home/kali/sources/APT-Hunter/APT-Hunter.py", line 80, in evtxdetect_auto
        EvtxDetection.detect_events_powershell_operational_log(powershellop_path_list,input_timezone)
      File "/home/kali/sources/APT-Hunter/lib/EvtxDetection.py", line 2399, in detect_events_powershell_operational_log
        Event_desc = "Found User (" + User[0].strip() + ") run PowerShell with Command Name (" + \
    IndexError: list index out of range
    
    opened by scusi 1
  • 2.0 - evtxdetect_auto error and no CSV output

    2.0 - evtxdetect_auto error and no CSV output

    Hello,

    Thank you for providing a compiled Windows EXE. I'll be making a Module in KAPE for this tool, but first I think some bugs need to be fixed :)

    I ran the tool against the EVTX-ATTACK-SAMPLES repo and received the following errors:

    Error Analyzing Sysmon logs
    ERROR:root:Traceback (most recent call last):
      File "APT-Hunter.py", line 130, in evtxdetect_auto
      File "lib\EvtxDetection.py", line 3082, in detect_events_Sysmon_log
    NameError: name 'user' is not defined
    

    https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/APT-Hunter.py#L130 https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/lib/EvtxDetection.py#L3082

    Also, despite the below message indicating otherwise, there was no CSV output to be found.

    Time Sketch Report saved as V:\EVTX\APTHunterTest_TimeSketch.csv
    Logon Events Report saved as V:\EVTX\APTHunterTest_Logon_Events.csv
    Report saved as V:\EVTX\APTHunterTest_Report.xlsx
    

    So I think something might be wrong 🤷

    opened by AndrewRathbun 1
  • Getting an error with sysmon

    Getting an error with sysmon

    Hello,

    I'm getting this error:

    File "APT-Hunter.py", line 108, in evtxdetect EvtxDetection.detect_events_Sysmon_log(sysmon_path) File "C:\IR\APT-Hunter-main-Windows-V1.1-Stable\lib\EvtxDetection.py", line 2018, in detect_events_Sysmon_log if CommandLine[0].strip().find(i)>-1: IndexError: list index out of range

    Using python 3.7.4 and Sysmon 13.02

    Command: python APT-Hunter.py -t evtx --sysmon c:/temp3/logs/wineventlog/Sysmon.evtx -o Test_00

    Thanks,

    opened by rangerrkm 1
  • Remote fetch of EVTX

    Remote fetch of EVTX

    Hi

    it would be nice to extend the script windows-log-collector-full-v3-EVTX.ps1 to extract the EVTX files from a remote machine (i.e. Active Directory using domain credentials).

    opened by notdodo 1
  • Issue with the path

    Issue with the path

    Issue with the path Traceback (most recent call last): File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 357, in main() File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 324, in main report() File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 254, in report allresults = allresults[ File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\frame.py", line 3810, in getitem indexer = self.columns._get_indexer_strict(key, "columns")[1] File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\indexes\base.py", line 6111, in _get_indexer_strict self._raise_if_missing(keyarr, indexer, axis_name) File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\indexes\base.py", line 6174, in _raise_if_missing raise KeyError(f"{not_found} not in index") KeyError: "['Computer Name', 'Channel'] not in index"

    opened by SUDOMICKEY 0
  • Error analyzing Sysmon logs

    Error analyzing Sysmon logs

    My command

    APT-Hunter.exe -p C:\WINDOWS\System32\winevt\Logs
    

    Output

    Analyzing C:\WINDOWS\System32\winevt\Logs\OSession.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Parameters.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Security.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Setup.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\SMSApi.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\State.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\System.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Windows PowerShell.evtx
    Error Analyzing Sysmon logs
    ERROR:root:Traceback (most recent call last):
      File "APT-Hunter.py", line 130, in evtxdetect_auto
      File "lib\EvtxDetection.py", line 3347, in detect_events_Sysmon_log
    IndexError: list index out of range
    
    Traceback (most recent call last):
      File "APT-Hunter.py", line 359, in <module>
      File "APT-Hunter.py", line 326, in main
      File "APT-Hunter.py", line 236, in report
      File "pandas\core\frame.py", line 636, in __init__
      File "pandas\core\internals\construction.py", line 502, in dict_to_mgr
      File "pandas\core\internals\construction.py", line 120, in arrays_to_mgr
      File "pandas\core\internals\construction.py", line 674, in _extract_index
    ValueError: All arrays must be of the same length
    [6696] Failed to execute script 'APT-Hunter' due to unhandled exception!
    
    opened by fareedfauzi 1
  • executable only process folder named Logs

    executable only process folder named Logs

    apt-unter is working ok when folder of the logs is "Logs" as the following

    C:\tools\APT-HunterV2.0-Stable+>APT-Hunter.exe -p *\Logs* -o project3

    But if i changed to anything else for example

    C:\tools\APT-HunterV2.0-Stable+>APT-Hunter.exe -p *\Log* -o project3

    it shows the following and all excel are created and empty

    Issue with the path

    opened by tamermh 0
  • Error Analyzing Powershell Operational logs

    Error Analyzing Powershell Operational logs

    File "E:#Tools\APT-Hunter-main\APT-Hunter.py", line 80, in evtxdetect_auto EvtxDetection.detect_events_powershell_operational_log(powershellop_path_list,input_timezone) File "E:#Tools\APT-Hunter-main\lib\EvtxDetection.py", line 2293, in detect_events_powershell_operational_log Event_desc = "Found User (" + User[ IndexError: list index out of range

    opened by normaliok 1
  • :wrench: fix access to a variable before assignement

    :wrench: fix access to a variable before assignement

    fixes #18

    No more complaints about variable being accessed before assignment:

    ~/dev/apt-hunter/repo/APT-Hunter fix-error-on-using-variable-before-assignement* 32s
    .venv ❯ python APT-Hunter.py -p ~/dev/logs-windows -o output_file
    
      /$$$$$$  /$$$$$$$  /$$$$$$$$         /$$   /$$                       /$$
     /$$__  $$| $$__  $$|__  $$__/        | $$  | $$                      | $$
    | $$  \ $$| $$  \ $$   | $$           | $$  | $$ /$$   /$$ /$$$$$$$  /$$$$$$    /$$$$$$   /$$$$$$
    | $$$$$$$$| $$$$$$$/   | $$    /$$$$$$| $$$$$$$$| $$  | $$| $$__  $$|_  $$_/   /$$__  $$ /$$__  $$
    | $$__  $$| $$____/    | $$   |______/| $$__  $$| $$  | $$| $$  \ $$  | $$    | $$$$$$$$| $$  \__/
    | $$  | $$| $$         | $$           | $$  | $$| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$
    | $$  | $$| $$         | $$           | $$  | $$|  $$$$$$/| $$  | $$  |  $$$$/|  $$$$$$$| $$
    |__/  |__/|__/         |__/           |__/  |__/ \______/ |__/  |__/   \___/   \_______/|__/
    
                                                                    By : Ahmed Khlief , @ahmed_khlief
                                                                    Version : 2.0
                                                                                                      
    Analyzing /home/bernardosilva/dev/logs-windows/Security.evtx
    Analyzing /home/bernardosilva/dev/logs-windows/Application.evtx
    Analyzing /home/bernardosilva/dev/logs-windows/System.evtx
    Time Sketch Report saved as output_file_TimeSketch.csv
    Logon Events Report saved as output_file_Logon_Events.csv
    Report saved as output_file_Report.xlsx
    
    opened by BernardoSilva 0
Releases(V2.0-Stable)
Owner
@ahmed_khlief : Security Analyst , Purple Teamer , APT Hunter
null
A python library used to interact with webots robocup game web logs

A python library used to interact with webots robocup game web logs

Hamburg Bit-Bots 2 Nov 5, 2021
Keylogger with Python which logs words into server terminal.

word_logger Experimental keylogger with Python which logs words into server terminal.

Selçuk 1 Nov 15, 2021
Vibrating-perimeter - Simple helper mod that logs how fast you are mining together with a simple buttplug.io script to control a vibrator

Vibrating Perimeter This project consists of a small minecraft helper mod that writes too a log file and a script that reads said log. Currently it on

Heart[BOT] 0 Nov 20, 2022
Ultimate Logger - A Discord bot that logs lots of events in a channel written in python

Ultimate Logger - A Discord bot that logs lots of events in a channel written in python

Luca 2 Mar 27, 2022
pyEventLogger - a simple Python Library for making customized Logs of certain events that occur in a program

pyEventLogger is a simple Python Library for making customized Logs of certain events that occur in a program. The logs can be fully customized and can be printed in colored format or can be stored in a file.

Siddhesh Chavan 2 Nov 3, 2022
Command-line tool that instantly fetches Stack Overflow results when an exception is thrown

rebound Rebound is a command-line tool that instantly fetches Stack Overflow results when an exception is thrown. Just use the rebound command to exec

Jonathan Shobrook 3.9k Jan 3, 2023
This is a wonderful simple python tool used to store the keyboard log.

Keylogger This is a wonderful simple python tool used to store the keyboard log. Record your keys. It will capture passwords and credentials in a comp

Rithin Lehan 2 Nov 25, 2021
Espion is a mini-keylogger tool that keeps track of all keys a user presses on his/her keyboard

Espion is a mini-keylogger tool that keeps track of all keys a user presses on his/her keyboard. The details get displayed on the terminal window and also stored in a log file.

Anurag.R.Simha 1 Apr 24, 2022
Scout: an open-source version of the monitoring tool

Badger Scout Scout is an open-source version of the monitoring tool used by Badg

Badger Finance 2 Jan 13, 2022
Kestrel Threat Hunting Language

Kestrel Threat Hunting Language What is Kestrel? Why we need it? How to hunt with XDR support? What is the science behind it? You can find all the ans

Open Cybersecurity Alliance 201 Dec 16, 2022
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Introduction evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. It can process a high numbe

NVISO 116 Dec 29, 2022
Epagneul is a tool to visualize and investigate windows event logs

epagneul Epagneul is a tool to visualize and investigate windows event logs. Dep

jurelou 190 Dec 13, 2022
IPscan - This Script is Framework To automate IP process large scope For Bug Hunting

IPscan This Script is Framework To automate IP process large scope For Bug Hunti

0xd2rdir 8 Mar 12, 2022
An auxiliary tool for iot vulnerability hunter

firmeye - IoT固件漏洞挖掘工具 firmeye 是一个 IDA 插件,基于敏感函数参数回溯来辅助漏洞挖掘。我们知道,在固件漏洞挖掘中,从敏感/危险函数出发,寻找其参数来源,是一种很有效的漏洞挖掘方法,但程序中调用敏感函数的地方非常多,人工分析耗时费力,通过该插件,可以帮助排除大部分的安全

Firmy Yang 171 Nov 28, 2022
Hunter is a flexible code tracing toolkit.

Overview docs tests package Hunter is a flexible code tracing toolkit, not for measuring coverage, but for debugging, logging, inspection and other ne

Ionel Cristian Mărieș 705 Dec 8, 2022
A python package for your Kali Linux distro that find the fastest mirror and configure your apt to use that mirror

Kali Mirror Finder Using Single Python File A python package for your Kali Linux distro that find the fastest mirror and configure your apt to use tha

MrSingh 6 Dec 12, 2022
Automatic picture transmission(APT) protocol decoder for NOAA weather satellites

Automatic picture transmission(APT) decoder Automatic picture transmission protocol is used by NOAA satellites. They constantly send a frequency modul

Jayachandra Kasarla 25 Aug 5, 2022
monster hunter world randomizer project

mhw_randomizer monster hunter world randomizer project Settings are in rando_config.py Current script for attack randomization is n mytest.py There ar

null 2 Jan 24, 2022
A wrapper for the apt package manager.

A wrapper for the apt package manager.

null 531 Jan 4, 2023
Worm/Trojan/Ransomware/apt/Rootkit/Virus Database

Pestilence - The Malware Database [] Screenshot Pestilence is a project created to make the possibility of malware analysis open and available to the

*ERR0R* 47 Dec 21, 2022