PSHunt: Powershell Threat Hunting Module
PSHunt
PSHunt is a Powershell Threat Hunting Module designed to scan remote endpoints* for indicators of compromise or survey them for more comprehensive information related to the state of those systems (active processes, autostarts, configurations, and/or logs).
PSHunt began as the precursor to Infocyte’s commercial product, Infocyte HUNT, and is now being open sourced for the benefit of the DFIR community.
PSHunt Structure
PSHunt is divided into several modules, functions, and folders. The below gives an outline of the grouping of these functions and upcoming posts will describe how to use them with examples and screenshots.
Discovery
Discovery functions and cmdlets are used to identify hosts on the network and build a target list that can be ingested by the scanners and survey deployment cmdlets. Get-HuntTargets Invoke-HuntPortScan
Scanners
Scans are modular queries that take in a remote ComputerName argument and output a Powershell object. The utility Invoke-HuntScan is used to initiate the selected scan against your target list. Scan_OSInfo.ps1
Surveys
Surveys are scripts that are deployed to remote hosts to collect comprehensive information from the host. Running locally allows the scripts to dig deeper into the operating system than what remote WMI or registry queries normally allow.Survey.ps1 SurveyLogs.ps1
Utilities
Utility functions provide the base functionality for deployment and execution of surveys and scans.
Invoke-HuntSurvey Get-HuntSurveyResults Invoke-HuntScanner
Analysis
There are two types of analysis functions:
- Survey Analysis
Survey Analysis functions provide the framework for analyzing and displaying survey and scan results.
Initialize-HuntReputation Update-HuntObject Group-HuntObject
- File Analysis File Analysis functions are a set of utilities to analyze files and malware.
Get-Entropy Get-VTReport Get-Hashes
Libraries (Lib)
Libraries are 3rd party tools that have been incorporated to enable additional analysis or are other projects (i.e. Posh-VirusTotal) that are utilized by the framework. 7zip Posh-VirusTotal
Reputation Lists
Reputation lists include hashes from the NIST NSRL Database, baselined virtual machines provided by Infocyte, and also is updated with any VirusTotal submission made using PSHunt’s Get-VTReport. These lists are loaded into a global memory variable by Initialize-HuntReputation and is compared against by Update-HuntObject.
Download
git clone https://github.com/Infocyte/PSHunt.git
Usage
Copyright 2016 Infocyte, Inc.
Source: https://github.com/Infocyte/
