APT-Hunter is Threat Hunting tool for windows event logs

Overview

APT-Hunter

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . this tool will make a good use of the windows event logs collected and make sure to not miss critical events configured to be detected. If you are a Threat Hunter , Incident Responder or forensic investigator , i assure you will enjoy using this tool , why ? i will discuss the reason in this article and how it will make your life easy just it made mine . Kindly note this tool is heavily tested but still a beta version and may contain bugs .

Full information about the tool and how its used in this article : introducing-apt-hunter-threat-hunting-tool-using-windows-event-log

Author :

Twitter : @ahmed_khlief

Linkedin : Ahmed Khlief

How to Use APT-Hunter

The first thing to do is to collect the logs if you didn’t and with powershell log collectors its easy to collect the needed logs automatically you just run the powershell scripts as administrator .

To collect the logs in EVTX format use : windows-log-collector-full-v3-EVTX.ps1

To collect the logs in CSV format use : windows-log-collector-full-v3-CSV.ps1

For Windows users please use the latest release : Latest Release

APT-Hunter built using python3 so in order to use the tool you need to install the required libraries ( python3.9 is not supported yet).

python3 -m pip install -r Requirements.txt

APT-Hunter is easy to use you just use the argument -h to print help to see the options needed .

python3 APT-Hunter.py -h

usage: APT-Hunter.py [-h] [-p PATH] [-o OUT] [-t {csv,evtx}]

-h, --help show this help message and exit

-p PATH, --path PATH path to folder containing windows event logs generated by the APT-Hunter-Log-Collector.ps1

-o OUT, --out OUT output file name

-t {csv,evtx}, --type {csv,evtx} csv ( logs from get-eventlog or windows event log GUI or logs from Get-WinEvent ) , evtx ( EVTX extension windows event log )

--security SECURITY Path to Security Logs

--system SYSTEM Path to System Logs

--scheduledtask SCHEDULEDTASK Path to Scheduled Tasks Logs

--defender DEFENDER Path to Defender Logs

--powershell POWERSHELL Path to Powershell Logs

--powershellop POWERSHELLOP Path to Powershell Operational Logs

--terminal TERMINAL Path to TerminalServices LocalSessionManager Logs

--winrm WINRM Path to Winrm Logs

--sysmon SYSMON Path to Sysmon Logs

-p : provide path to directory containing the extracted using the powershell log collectors ( windows-log-collector-full-v3-CSV.ps1 , windows-log-collector-full-v3-EVTX.ps1 ) .

-o : name of the project which will be used in the generated output sheets

-t : the log type if its CSV or EVTX

The remaining arguments if you want to analyze single type of logs.

Exmaples :

python3 APT-Hunter.py -t evtx -p /opt/wineventlogs/ -o Project1

python3 APT-Hunter.py -t csv -p /opt/wineventlogs/ -o Project1

python3 APT-Hunter.py -t evtx --security evtx/security.evtx --powershell evtx/powershell.evtx -o Project2

The result will be available in two sheets :

Project1_Report.xlsx : this excel sheet will include all the events detected from every windows logs provided to APT-Hunter

Project1_TimeSketch.csv : This CSV file you can upload it to timesketch in order to have timeline analysis that will help you see the full picture of the attack .

Comments
  • EVTX-ATTACK-SAMPLES

    EVTX-ATTACK-SAMPLES

    Hi, first of all an awesome job. I've been trying to use https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES for testing but unfortunately I was not able to do it. What would be the correct approach, if possible at all? Thanks a lot.

    opened by V0lundr 5
  • Can't install Requirements

    Can't install Requirements

    I installed python 3.9 on my Windows 10 Pro machine (only this fresh install of python, no other languages installed). When executing the command python -m pip install -r Requirements.txt I get the error listed below. I had run the command 2x, I assume this is why it says it references "cached"

    Collecting netaddr Using cached netaddr-0.8.0-py2.py3-none-any.whl (1.9 MB) Collecting evtx Using cached evtx-0.6.8.tar.gz (2.2 kB) ERROR: Command errored out with exit status 1: command: 'C:\Users\XXXXX\AppData\Local\Programs\Python\Python39\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py'"'"'; file='"'"'C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base 'C:\Users\XXXXX\AppData\Local\Temp\pip-pip-egg-info-yy_8dz2x' cwd: C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx
    Complete output (5 lines): Traceback (most recent call last): File "", line 1, in File "C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py", line 5, in from setuptools_rust import RustExtension ModuleNotFoundError: No module named 'setuptools_rust'

    Note that I am running the command in an elevated command prompt.

    Thank you for any assistance.

    opened by brohan 4
  • File path does not exist

    File path does not exist

    I am trying this out during post-mortem forensics.

    I copy all .evtx files out of my images into a folder and then run APT-Hunter against all the files in the folder.

    Only the System and Security Events parse and I receive the following errors running the following command: .\APT-Hunter.exe -t evtx -p I:\Evidence\Case\EVTX\Dc1\ -o Case-Dc1

    Error Analyzing Security logs: File Path Does Not Exist Error Analyzing System logs : File Path Does Not Exist Error Analyzing Powershell Operational logs : File Path Does Not Exist Error Analyzing Powershell logs : File Path Does Not Exist Error Analyzing TerminalServices LocalSessionManager logs: File Path Does Not Exist Error Analyzing Scheduled Task logs : File Path Does Not Exist Error Analyzing Windows Defender logs : File Path Does Not Exist Error Analyzing WinRM logs : File Path Does Not Exist Error Analyzing Sysmon logs

    Does it have anything to do with the the filenames from the OS? Microsoft-Windows-PowerShell%4Admin.evtx Microsoft-Windows-PowerShell%4Operational.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx Microsoft-Windows-Windows Defender%4Operational.evtx Microsoft-Windows-Windows Defender%4WHC.evtx

    opened by clive7391 3
  • Requirements Issue

    Requirements Issue

    I am trying to install the requirements on Win 10, I have installed Python3 + Rust but keep encountering this error -

    I installed Rust using - pip install setuptools-rust - & the rustup-init.exe but still keep getting this -

    ERROR: Failed building wheel for evtx Running setup.py clean for evtx Failed to build evtx Installing collected packages: evtx, netaddr, numpy, six, python-dateutil, pytz, pandas, XlsxWriter Running setup.py install for evtx ... error ERROR: Command errored out with exit status 1: command: 'C:\Users\user\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"'; file='"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'C:\Users\user\AppData\Local\Temp\pip-record-03gi9t6z\install-record.txt' --single-version-externally-managed --user --prefix= --compile --install-headers 'C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Include\evtx' cwd: C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx
    Complete output (42 lines): running install running build running build_ext running build_rust error: manifest path Cargo.toml does not exist Traceback (most recent call last): File "", line 1, in File "C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py", line 21, in setup( File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\site-packages\setuptools_init_.py", line 165, in setup return distutils.core.setup(**attrs) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\core.py", line 148, in setup dist.run_commands() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 966, in run_commands self.run_command(cmd) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\site-packages\setuptools\command\install.py", line 61, in run return orig.install.run(self) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\command\install.py", line 546, in run self.run_command('build') File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\command\build.py", line 135, in run self.run_command(cmd_name) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\setuptools_ext.py", line 23, in run build_rust.run() File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\build.py", line 357, in run self.build_extension(ext) File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\build.py", line 120, in build_extension metadata = json.loads(check_output(metadata_command).decode("utf-8")) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\subprocess.py", line 420, in check_output return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\subprocess.py", line 524, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['cargo', 'metadata', '--manifest-path', 'Cargo.toml', '--format-version', '1']' returned non-zero exit status 101. ---------------------------------------- ERROR: Command errored out with exit status 1: 'C:\Users\user\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"'; file='"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'C:\Users\user\AppData\Local\Temp\pip-record-03gi9t6z\install-record.txt' --single-version-externally-managed --user --prefix= --compile --install-headers 'C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Include\evtx' Check the logs for full command output.

    opened by hackjalstead 3
  • Missing `setuptools_rust` from requirements

    Missing `setuptools_rust` from requirements

    Hi! When launching a dry run to install requirements, it misses the setuptools_rust.

    (.env) ~/APT-Hunter >>> pip install -r Requirements.txt                                                                                                                       ±[main]
    Collecting evtx
      Downloading evtx-0.6.8.tar.gz (2.2 kB)
        ERROR: Command errored out with exit status 1:
         command: /home/xxx/APT-Hunter/.env/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py'"'"'; __file__='"'"'/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-nk2jwvmk
             cwd: /tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/
        Complete output (5 lines):
        Traceback (most recent call last):
          File "<string>", line 1, in <module>
          File "/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py", line 5, in <module>
            from setuptools_rust import RustExtension
        ModuleNotFoundError: No module named 'setuptools_rust'
        ----------------------------------------
    ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    

    Thanks, the tool looks awesome!

    opened by evilcel3ri 3
  • Seeing the following error .

    Seeing the following error .

    [email protected]:/home/kali/Desktop/APT-Hunter# python3 -m pip install -r requirements.txt Collecting evtx Using cached evtx-0.6.8.tar.gz (2.2 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-7w2zav_u cwd: /tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/33/18/b32715bae61c4fe6a7cdb79aafccb0d4797a1bfef028e9689197af214966/evtx-0.6.8.tar.gz#sha256=414507b79fe997a35fbf05ae57dd2f55a7acfc669b19d9125a894ffe40dbeade (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.3.0.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-xfau9bd2 cwd: /tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/2d/fe/f207c57f183d07aa405679019ec37193dacdb25cd814f185f7b817915101/evtx-0.3.0.tar.gz#sha256=1ce5fde2b9df791af5e72c9c28d0a85b7a41ac36b2dcf34522ce909379d49509 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.7.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-b70tzy4y cwd: /tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/80/01/7778d9c3a33f40f108da547fb518f86da9a9afe13bd43c15c42b029e4d64/evtx-0.2.7.tar.gz#sha256=4e60da0ac63c51d3065952f45e3b865b161e6e3f0e17adf2f3300b18f6f399e8 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.6.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-7ficjdna cwd: /tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/a5/4e/5dfd9ad96e7bbe29e3c6e8f380175d6382722d4306547f34e40e33d022b7/evtx-0.2.6.tar.gz#sha256=5c9a1a988e28a128abf539fdb6c2ae08f6ea2f3e15d534f10362edf597bcd1a8 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.5.tar.gz (1.4 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-753zlwh6 cwd: /tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/11/4c/13588de4d88a437e00a10653969b86b886cb1db22a7a758729edd4ed2ac8/evtx-0.2.5.tar.gz#sha256=ab7c61b01d6723b2da5fa192faf12cc82bc54b4a3a9ee338aff665cd7f29cf33 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    ERROR: Could not find a version that satisfies the requirement evtx ERROR: No matching distribution found for evtx

    opened by krisz-bot 2
  • Adding pandas and xlsxwriter to reqs + Fix date in PasswordSpray detection

    Adding pandas and xlsxwriter to reqs + Fix date in PasswordSpray detection

    When launching a dry run, I noticed some libraries were missing. This PR adds them in the requirements.txt.

    It also adds a fix for the PasswordSpray detection which used to use datetime.now instead of the actual date in the log file.

    opened by evilcel3ri 2
  •  Error Analyzing Powershell Operational logs - list index out of range

    Error Analyzing Powershell Operational logs - list index out of range

    Description: Kali GNU/Linux Rolling Release: 2021.3 Codename: kali-rolling Python Verison: Python 3.9.7

    Error Analyzing Powershell Operational logs 
    ERROR:root:Traceback (most recent call last):
      File "/home/kali/sources/APT-Hunter/APT-Hunter.py", line 80, in evtxdetect_auto
        EvtxDetection.detect_events_powershell_operational_log(powershellop_path_list,input_timezone)
      File "/home/kali/sources/APT-Hunter/lib/EvtxDetection.py", line 2399, in detect_events_powershell_operational_log
        Event_desc = "Found User (" + User[0].strip() + ") run PowerShell with Command Name (" + \
    IndexError: list index out of range
    
    opened by scusi 1
  • 2.0 - evtxdetect_auto error and no CSV output

    2.0 - evtxdetect_auto error and no CSV output

    Hello,

    Thank you for providing a compiled Windows EXE. I'll be making a Module in KAPE for this tool, but first I think some bugs need to be fixed :)

    I ran the tool against the EVTX-ATTACK-SAMPLES repo and received the following errors:

    Error Analyzing Sysmon logs
    ERROR:root:Traceback (most recent call last):
      File "APT-Hunter.py", line 130, in evtxdetect_auto
      File "lib\EvtxDetection.py", line 3082, in detect_events_Sysmon_log
    NameError: name 'user' is not defined
    

    https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/APT-Hunter.py#L130 https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/lib/EvtxDetection.py#L3082

    Also, despite the below message indicating otherwise, there was no CSV output to be found.

    Time Sketch Report saved as V:\EVTX\APTHunterTest_TimeSketch.csv
    Logon Events Report saved as V:\EVTX\APTHunterTest_Logon_Events.csv
    Report saved as V:\EVTX\APTHunterTest_Report.xlsx
    

    So I think something might be wrong 🤷

    opened by AndrewRathbun 1
  • Getting an error with sysmon

    Getting an error with sysmon

    Hello,

    I'm getting this error:

    File "APT-Hunter.py", line 108, in evtxdetect EvtxDetection.detect_events_Sysmon_log(sysmon_path) File "C:\IR\APT-Hunter-main-Windows-V1.1-Stable\lib\EvtxDetection.py", line 2018, in detect_events_Sysmon_log if CommandLine[0].strip().find(i)>-1: IndexError: list index out of range

    Using python 3.7.4 and Sysmon 13.02

    Command: python APT-Hunter.py -t evtx --sysmon c:/temp3/logs/wineventlog/Sysmon.evtx -o Test_00

    Thanks,

    opened by rangerrkm 1
  • Remote fetch of EVTX

    Remote fetch of EVTX

    Hi

    it would be nice to extend the script windows-log-collector-full-v3-EVTX.ps1 to extract the EVTX files from a remote machine (i.e. Active Directory using domain credentials).

    opened by notdodo 1
  • Issue with the path

    Issue with the path

    Issue with the path Traceback (most recent call last): File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 357, in main() File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 324, in main report() File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 254, in report allresults = allresults[ File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\frame.py", line 3810, in getitem indexer = self.columns._get_indexer_strict(key, "columns")[1] File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\indexes\base.py", line 6111, in _get_indexer_strict self._raise_if_missing(keyarr, indexer, axis_name) File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\indexes\base.py", line 6174, in _raise_if_missing raise KeyError(f"{not_found} not in index") KeyError: "['Computer Name', 'Channel'] not in index"

    opened by SUDOMICKEY 0
  • Error analyzing Sysmon logs

    Error analyzing Sysmon logs

    My command

    APT-Hunter.exe -p C:\WINDOWS\System32\winevt\Logs
    

    Output

    Analyzing C:\WINDOWS\System32\winevt\Logs\OSession.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Parameters.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Security.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Setup.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\SMSApi.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\State.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\System.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Windows PowerShell.evtx
    Error Analyzing Sysmon logs
    ERROR:root:Traceback (most recent call last):
      File "APT-Hunter.py", line 130, in evtxdetect_auto
      File "lib\EvtxDetection.py", line 3347, in detect_events_Sysmon_log
    IndexError: list index out of range
    
    Traceback (most recent call last):
      File "APT-Hunter.py", line 359, in <module>
      File "APT-Hunter.py", line 326, in main
      File "APT-Hunter.py", line 236, in report
      File "pandas\core\frame.py", line 636, in __init__
      File "pandas\core\internals\construction.py", line 502, in dict_to_mgr
      File "pandas\core\internals\construction.py", line 120, in arrays_to_mgr
      File "pandas\core\internals\construction.py", line 674, in _extract_index
    ValueError: All arrays must be of the same length
    [6696] Failed to execute script 'APT-Hunter' due to unhandled exception!
    
    opened by fareedfauzi 1
  • executable only process folder named Logs

    executable only process folder named Logs

    apt-unter is working ok when folder of the logs is "Logs" as the following

    C:\tools\APT-HunterV2.0-Stable+>APT-Hunter.exe -p *\Logs* -o project3

    But if i changed to anything else for example

    C:\tools\APT-HunterV2.0-Stable+>APT-Hunter.exe -p *\Log* -o project3

    it shows the following and all excel are created and empty

    Issue with the path

    opened by tamermh 0
  • Error Analyzing Powershell Operational logs

    Error Analyzing Powershell Operational logs

    File "E:#Tools\APT-Hunter-main\APT-Hunter.py", line 80, in evtxdetect_auto EvtxDetection.detect_events_powershell_operational_log(powershellop_path_list,input_timezone) File "E:#Tools\APT-Hunter-main\lib\EvtxDetection.py", line 2293, in detect_events_powershell_operational_log Event_desc = "Found User (" + User[ IndexError: list index out of range

    opened by normaliok 1
  • :wrench: fix access to a variable before assignement

    :wrench: fix access to a variable before assignement

    fixes #18

    No more complaints about variable being accessed before assignment:

    ~/dev/apt-hunter/repo/APT-Hunter fix-error-on-using-variable-before-assignement* 32s
    .venv ❯ python APT-Hunter.py -p ~/dev/logs-windows -o output_file
    
      /$$$$$$  /$$$$$$$  /$$$$$$$$         /$$   /$$                       /$$
     /$$__  $$| $$__  $$|__  $$__/        | $$  | $$                      | $$
    | $$  \ $$| $$  \ $$   | $$           | $$  | $$ /$$   /$$ /$$$$$$$  /$$$$$$    /$$$$$$   /$$$$$$
    | $$$$$$$$| $$$$$$$/   | $$    /$$$$$$| $$$$$$$$| $$  | $$| $$__  $$|_  $$_/   /$$__  $$ /$$__  $$
    | $$__  $$| $$____/    | $$   |______/| $$__  $$| $$  | $$| $$  \ $$  | $$    | $$$$$$$$| $$  \__/
    | $$  | $$| $$         | $$           | $$  | $$| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$
    | $$  | $$| $$         | $$           | $$  | $$|  $$$$$$/| $$  | $$  |  $$$$/|  $$$$$$$| $$
    |__/  |__/|__/         |__/           |__/  |__/ \______/ |__/  |__/   \___/   \_______/|__/
    
                                                                    By : Ahmed Khlief , @ahmed_khlief
                                                                    Version : 2.0
                                                                                                      
    Analyzing /home/bernardosilva/dev/logs-windows/Security.evtx
    Analyzing /home/bernardosilva/dev/logs-windows/Application.evtx
    Analyzing /home/bernardosilva/dev/logs-windows/System.evtx
    Time Sketch Report saved as output_file_TimeSketch.csv
    Logon Events Report saved as output_file_Logon_Events.csv
    Report saved as output_file_Report.xlsx
    
    opened by BernardoSilva 0
Releases(V2.0-Stable)
Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!

LDAP Monitor Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration! With this tool you can quickly

Podalirius 500 Dec 28, 2022
A very basic esp32-based logic analyzer capable of sampling digital signals at up to ~3.2MHz.

A very basic esp32-based logic analyzer capable of sampling digital signals at up to ~3.2MHz.

Davide Della Giustina 43 Dec 27, 2022
The new Python SDK for Sentry.io

sentry-python - Sentry SDK for Python This is the next line of the Python SDK for Sentry, intended to replace the raven package on PyPI. from sentry_s

Sentry 1.4k Dec 31, 2022
🐑 Syslog Simulator hazır veya kullanıcıların eklediği logları belirtilen adreslere ve port'a seçilen döngüde syslog ile gönderilmesini sağlayan araçtır. | 🇹🇷

syslogsimulator hazır ürün loglarını SIEM veya log toplayıcısına istediğiniz portta belirli sürelerde göndermeyi sağlayan küçük bir araçtır.

Enes Aydın 3 Sep 28, 2021
Integrates a UPS monitored by NUT into OctoPrint

OctoPrint UPS This OctoPrint plugin interfaces with a UPS monitored by NUT (Network UPS Tools). Requirements NUT must be configured by the user. This

Shawn Bruce 11 Jul 05, 2022
Ransomware leak site monitoring

RansomWatch RansomWatch is a ransomware leak site monitoring tool. It will scrape all of the entries on various ransomware leak sites, store the data

Zander Work 278 Dec 31, 2022
Greppin' Logs: Leveling Up Log Analysis

This repo contains sample code and example datasets from Jon Stewart and Noah Rubin's presentation at the 2021 SANS DFIR Summit titled Greppin' Logs. The talk was centered around the idea that Forens

Stroz Friedberg 20 Sep 14, 2022
Pretty and useful exceptions in Python, automatically.

better-exceptions Pretty and more helpful exceptions in Python, automatically. Usage Install better_exceptions via pip: $ pip install better_exception

Qix 4.3k Dec 29, 2022
Python logging made (stupidly) simple

Loguru is a library which aims to bring enjoyable logging in Python. Did you ever feel lazy about configuring a logger and used print() instead?... I

13.7k Jan 02, 2023
A demo of Prometheus+Grafana for monitoring an ML model served with FastAPI.

ml-monitoring Jeremy Jordan This repository provides an example setup for monitoring an ML system deployed on Kubernetes.

Jeremy Jordan 176 Jan 01, 2023
Docker container log aggregation with Elasticsearch, Kibana & Filebeat

Epilog Dead simple container log aggregation with ELK stack Preface Epilog aims to demonstrate a language-agnostic, non-invasive, and straightfo

Redowan Delowar 23 Oct 26, 2022
Log4j alternative for Python

Log4p Log4p is the most secure logging library ever created in this and all other universes. Usage: import log4p log4p.log('"Wow, this library is sec

Isaak Uchakaev 15 Dec 16, 2022
changedetection.io - The best and simplest self-hosted website change detection monitoring service

changedetection.io - The best and simplest self-hosted website change detection monitoring service. An alternative to Visualping, Watchtower etc. Designed for simplicity - the main goal is to simply

7.3k Jan 01, 2023
Python script to scan log files/system for unauthorized access around system

checkLogs Python script to scan log files/system for unauthorized access around Linux systems Table of contents General info Getting started Usage Gen

James Kelly 1 Feb 25, 2022
A basic logging library for Python.

log.py 📖 About: A basic logging library for Python with the capability to: save to files. have custom formats. have custom levels. be used instantiat

Sebastiaan Bij 1 Jan 19, 2022
Multi-processing capable print-like logger for Python

MPLogger Multi-processing capable print-like logger for Python Requirements and Installation Python 3.8+ is required Pip pip install mplogger Manual P

Eötvös Loránd University Department of Digital Humanities 1 Jan 28, 2022
Small toolkit for python multiprocessing logging to file

Small Toolkit for Python Multiprocessing Logging This is a small toolkit for solving unsafe python mutliprocess logging (file logging and rotation) In

Qishuai 1 Nov 10, 2021
This is a DemoCode for parsing through large log files and triggering an email whenever there's an error.

LogFileParserDemoCode This is a DemoCode for parsing through large log files and triggering an email whenever there's an error. There are a total of f

2 Jan 06, 2022
Lazy Profiler is a simple utility to collect CPU, GPU, RAM and GPU Memory stats while the program is running.

lazyprofiler Lazy Profiler is a simple utility to collect CPU, GPU, RAM and GPU Memory stats while the program is running. Installation Use the packag

Shankar Rao Pandala 28 Dec 09, 2022
Logging system for the TPC software.

tpc_logger Logging system for the TPC software. The TPC Logger class provides a singleton for logging information within C++ code or in the python API

UC Davis Machine Learning 1 Jan 10, 2022