APT-Hunter is Threat Hunting tool for windows event logs

Overview

APT-Hunter

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . this tool will make a good use of the windows event logs collected and make sure to not miss critical events configured to be detected. If you are a Threat Hunter , Incident Responder or forensic investigator , i assure you will enjoy using this tool , why ? i will discuss the reason in this article and how it will make your life easy just it made mine . Kindly note this tool is heavily tested but still a beta version and may contain bugs .

Full information about the tool and how its used in this article : introducing-apt-hunter-threat-hunting-tool-using-windows-event-log

Author :

Twitter : @ahmed_khlief

Linkedin : Ahmed Khlief

How to Use APT-Hunter

The first thing to do is to collect the logs if you didn’t and with powershell log collectors its easy to collect the needed logs automatically you just run the powershell scripts as administrator .

To collect the logs in EVTX format use : windows-log-collector-full-v3-EVTX.ps1

To collect the logs in CSV format use : windows-log-collector-full-v3-CSV.ps1

For Windows users please use the latest release : Latest Release

APT-Hunter built using python3 so in order to use the tool you need to install the required libraries ( python3.9 is not supported yet).

python3 -m pip install -r Requirements.txt

APT-Hunter is easy to use you just use the argument -h to print help to see the options needed .

python3 APT-Hunter.py -h

usage: APT-Hunter.py [-h] [-p PATH] [-o OUT] [-t {csv,evtx}]

-h, --help show this help message and exit

-p PATH, --path PATH path to folder containing windows event logs generated by the APT-Hunter-Log-Collector.ps1

-o OUT, --out OUT output file name

-t {csv,evtx}, --type {csv,evtx} csv ( logs from get-eventlog or windows event log GUI or logs from Get-WinEvent ) , evtx ( EVTX extension windows event log )

--security SECURITY Path to Security Logs

--system SYSTEM Path to System Logs

--scheduledtask SCHEDULEDTASK Path to Scheduled Tasks Logs

--defender DEFENDER Path to Defender Logs

--powershell POWERSHELL Path to Powershell Logs

--powershellop POWERSHELLOP Path to Powershell Operational Logs

--terminal TERMINAL Path to TerminalServices LocalSessionManager Logs

--winrm WINRM Path to Winrm Logs

--sysmon SYSMON Path to Sysmon Logs

-p : provide path to directory containing the extracted using the powershell log collectors ( windows-log-collector-full-v3-CSV.ps1 , windows-log-collector-full-v3-EVTX.ps1 ) .

-o : name of the project which will be used in the generated output sheets

-t : the log type if its CSV or EVTX

The remaining arguments if you want to analyze single type of logs.

Exmaples :

python3 APT-Hunter.py -t evtx -p /opt/wineventlogs/ -o Project1

python3 APT-Hunter.py -t csv -p /opt/wineventlogs/ -o Project1

python3 APT-Hunter.py -t evtx --security evtx/security.evtx --powershell evtx/powershell.evtx -o Project2

The result will be available in two sheets :

Project1_Report.xlsx : this excel sheet will include all the events detected from every windows logs provided to APT-Hunter

Project1_TimeSketch.csv : This CSV file you can upload it to timesketch in order to have timeline analysis that will help you see the full picture of the attack .

Comments
  • EVTX-ATTACK-SAMPLES

    EVTX-ATTACK-SAMPLES

    Hi, first of all an awesome job. I've been trying to use https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES for testing but unfortunately I was not able to do it. What would be the correct approach, if possible at all? Thanks a lot.

    opened by V0lundr 5
  • Can't install Requirements

    Can't install Requirements

    I installed python 3.9 on my Windows 10 Pro machine (only this fresh install of python, no other languages installed). When executing the command python -m pip install -r Requirements.txt I get the error listed below. I had run the command 2x, I assume this is why it says it references "cached"

    Collecting netaddr Using cached netaddr-0.8.0-py2.py3-none-any.whl (1.9 MB) Collecting evtx Using cached evtx-0.6.8.tar.gz (2.2 kB) ERROR: Command errored out with exit status 1: command: 'C:\Users\XXXXX\AppData\Local\Programs\Python\Python39\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py'"'"'; file='"'"'C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base 'C:\Users\XXXXX\AppData\Local\Temp\pip-pip-egg-info-yy_8dz2x' cwd: C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx
    Complete output (5 lines): Traceback (most recent call last): File "", line 1, in File "C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py", line 5, in from setuptools_rust import RustExtension ModuleNotFoundError: No module named 'setuptools_rust'

    Note that I am running the command in an elevated command prompt.

    Thank you for any assistance.

    opened by brohan 4
  • File path does not exist

    File path does not exist

    I am trying this out during post-mortem forensics.

    I copy all .evtx files out of my images into a folder and then run APT-Hunter against all the files in the folder.

    Only the System and Security Events parse and I receive the following errors running the following command: .\APT-Hunter.exe -t evtx -p I:\Evidence\Case\EVTX\Dc1\ -o Case-Dc1

    Error Analyzing Security logs: File Path Does Not Exist Error Analyzing System logs : File Path Does Not Exist Error Analyzing Powershell Operational logs : File Path Does Not Exist Error Analyzing Powershell logs : File Path Does Not Exist Error Analyzing TerminalServices LocalSessionManager logs: File Path Does Not Exist Error Analyzing Scheduled Task logs : File Path Does Not Exist Error Analyzing Windows Defender logs : File Path Does Not Exist Error Analyzing WinRM logs : File Path Does Not Exist Error Analyzing Sysmon logs

    Does it have anything to do with the the filenames from the OS? Microsoft-Windows-PowerShell%4Admin.evtx Microsoft-Windows-PowerShell%4Operational.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx Microsoft-Windows-Windows Defender%4Operational.evtx Microsoft-Windows-Windows Defender%4WHC.evtx

    opened by clive7391 3
  • Requirements Issue

    Requirements Issue

    I am trying to install the requirements on Win 10, I have installed Python3 + Rust but keep encountering this error -

    I installed Rust using - pip install setuptools-rust - & the rustup-init.exe but still keep getting this -

    ERROR: Failed building wheel for evtx Running setup.py clean for evtx Failed to build evtx Installing collected packages: evtx, netaddr, numpy, six, python-dateutil, pytz, pandas, XlsxWriter Running setup.py install for evtx ... error ERROR: Command errored out with exit status 1: command: 'C:\Users\user\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"'; file='"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'C:\Users\user\AppData\Local\Temp\pip-record-03gi9t6z\install-record.txt' --single-version-externally-managed --user --prefix= --compile --install-headers 'C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Include\evtx' cwd: C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx
    Complete output (42 lines): running install running build running build_ext running build_rust error: manifest path Cargo.toml does not exist Traceback (most recent call last): File "", line 1, in File "C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py", line 21, in setup( File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\site-packages\setuptools_init_.py", line 165, in setup return distutils.core.setup(**attrs) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\core.py", line 148, in setup dist.run_commands() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 966, in run_commands self.run_command(cmd) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\site-packages\setuptools\command\install.py", line 61, in run return orig.install.run(self) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\command\install.py", line 546, in run self.run_command('build') File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\command\build.py", line 135, in run self.run_command(cmd_name) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\setuptools_ext.py", line 23, in run build_rust.run() File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\build.py", line 357, in run self.build_extension(ext) File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\build.py", line 120, in build_extension metadata = json.loads(check_output(metadata_command).decode("utf-8")) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\subprocess.py", line 420, in check_output return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\subprocess.py", line 524, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['cargo', 'metadata', '--manifest-path', 'Cargo.toml', '--format-version', '1']' returned non-zero exit status 101. ---------------------------------------- ERROR: Command errored out with exit status 1: 'C:\Users\user\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"'; file='"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'C:\Users\user\AppData\Local\Temp\pip-record-03gi9t6z\install-record.txt' --single-version-externally-managed --user --prefix= --compile --install-headers 'C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Include\evtx' Check the logs for full command output.

    opened by hackjalstead 3
  • Missing `setuptools_rust` from requirements

    Missing `setuptools_rust` from requirements

    Hi! When launching a dry run to install requirements, it misses the setuptools_rust.

    (.env) ~/APT-Hunter >>> pip install -r Requirements.txt                                                                                                                       ±[main]
    Collecting evtx
      Downloading evtx-0.6.8.tar.gz (2.2 kB)
        ERROR: Command errored out with exit status 1:
         command: /home/xxx/APT-Hunter/.env/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py'"'"'; __file__='"'"'/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-nk2jwvmk
             cwd: /tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/
        Complete output (5 lines):
        Traceback (most recent call last):
          File "<string>", line 1, in <module>
          File "/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py", line 5, in <module>
            from setuptools_rust import RustExtension
        ModuleNotFoundError: No module named 'setuptools_rust'
        ----------------------------------------
    ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    

    Thanks, the tool looks awesome!

    opened by evilcel3ri 3
  • Seeing the following error .

    Seeing the following error .

    [email protected]:/home/kali/Desktop/APT-Hunter# python3 -m pip install -r requirements.txt Collecting evtx Using cached evtx-0.6.8.tar.gz (2.2 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-7w2zav_u cwd: /tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/33/18/b32715bae61c4fe6a7cdb79aafccb0d4797a1bfef028e9689197af214966/evtx-0.6.8.tar.gz#sha256=414507b79fe997a35fbf05ae57dd2f55a7acfc669b19d9125a894ffe40dbeade (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.3.0.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-xfau9bd2 cwd: /tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/2d/fe/f207c57f183d07aa405679019ec37193dacdb25cd814f185f7b817915101/evtx-0.3.0.tar.gz#sha256=1ce5fde2b9df791af5e72c9c28d0a85b7a41ac36b2dcf34522ce909379d49509 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.7.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-b70tzy4y cwd: /tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/80/01/7778d9c3a33f40f108da547fb518f86da9a9afe13bd43c15c42b029e4d64/evtx-0.2.7.tar.gz#sha256=4e60da0ac63c51d3065952f45e3b865b161e6e3f0e17adf2f3300b18f6f399e8 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.6.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-7ficjdna cwd: /tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/a5/4e/5dfd9ad96e7bbe29e3c6e8f380175d6382722d4306547f34e40e33d022b7/evtx-0.2.6.tar.gz#sha256=5c9a1a988e28a128abf539fdb6c2ae08f6ea2f3e15d534f10362edf597bcd1a8 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.5.tar.gz (1.4 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-753zlwh6 cwd: /tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/11/4c/13588de4d88a437e00a10653969b86b886cb1db22a7a758729edd4ed2ac8/evtx-0.2.5.tar.gz#sha256=ab7c61b01d6723b2da5fa192faf12cc82bc54b4a3a9ee338aff665cd7f29cf33 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    ERROR: Could not find a version that satisfies the requirement evtx ERROR: No matching distribution found for evtx

    opened by krisz-bot 2
  • Adding pandas and xlsxwriter to reqs + Fix date in PasswordSpray detection

    Adding pandas and xlsxwriter to reqs + Fix date in PasswordSpray detection

    When launching a dry run, I noticed some libraries were missing. This PR adds them in the requirements.txt.

    It also adds a fix for the PasswordSpray detection which used to use datetime.now instead of the actual date in the log file.

    opened by evilcel3ri 2
  •  Error Analyzing Powershell Operational logs - list index out of range

    Error Analyzing Powershell Operational logs - list index out of range

    Description: Kali GNU/Linux Rolling Release: 2021.3 Codename: kali-rolling Python Verison: Python 3.9.7

    Error Analyzing Powershell Operational logs 
    ERROR:root:Traceback (most recent call last):
      File "/home/kali/sources/APT-Hunter/APT-Hunter.py", line 80, in evtxdetect_auto
        EvtxDetection.detect_events_powershell_operational_log(powershellop_path_list,input_timezone)
      File "/home/kali/sources/APT-Hunter/lib/EvtxDetection.py", line 2399, in detect_events_powershell_operational_log
        Event_desc = "Found User (" + User[0].strip() + ") run PowerShell with Command Name (" + \
    IndexError: list index out of range
    
    opened by scusi 1
  • 2.0 - evtxdetect_auto error and no CSV output

    2.0 - evtxdetect_auto error and no CSV output

    Hello,

    Thank you for providing a compiled Windows EXE. I'll be making a Module in KAPE for this tool, but first I think some bugs need to be fixed :)

    I ran the tool against the EVTX-ATTACK-SAMPLES repo and received the following errors:

    Error Analyzing Sysmon logs
    ERROR:root:Traceback (most recent call last):
      File "APT-Hunter.py", line 130, in evtxdetect_auto
      File "lib\EvtxDetection.py", line 3082, in detect_events_Sysmon_log
    NameError: name 'user' is not defined
    

    https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/APT-Hunter.py#L130 https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/lib/EvtxDetection.py#L3082

    Also, despite the below message indicating otherwise, there was no CSV output to be found.

    Time Sketch Report saved as V:\EVTX\APTHunterTest_TimeSketch.csv
    Logon Events Report saved as V:\EVTX\APTHunterTest_Logon_Events.csv
    Report saved as V:\EVTX\APTHunterTest_Report.xlsx
    

    So I think something might be wrong 🤷

    opened by AndrewRathbun 1
  • Getting an error with sysmon

    Getting an error with sysmon

    Hello,

    I'm getting this error:

    File "APT-Hunter.py", line 108, in evtxdetect EvtxDetection.detect_events_Sysmon_log(sysmon_path) File "C:\IR\APT-Hunter-main-Windows-V1.1-Stable\lib\EvtxDetection.py", line 2018, in detect_events_Sysmon_log if CommandLine[0].strip().find(i)>-1: IndexError: list index out of range

    Using python 3.7.4 and Sysmon 13.02

    Command: python APT-Hunter.py -t evtx --sysmon c:/temp3/logs/wineventlog/Sysmon.evtx -o Test_00

    Thanks,

    opened by rangerrkm 1
  • Remote fetch of EVTX

    Remote fetch of EVTX

    Hi

    it would be nice to extend the script windows-log-collector-full-v3-EVTX.ps1 to extract the EVTX files from a remote machine (i.e. Active Directory using domain credentials).

    opened by notdodo 1
  • Issue with the path

    Issue with the path

    Issue with the path Traceback (most recent call last): File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 357, in main() File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 324, in main report() File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 254, in report allresults = allresults[ File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\frame.py", line 3810, in getitem indexer = self.columns._get_indexer_strict(key, "columns")[1] File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\indexes\base.py", line 6111, in _get_indexer_strict self._raise_if_missing(keyarr, indexer, axis_name) File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\indexes\base.py", line 6174, in _raise_if_missing raise KeyError(f"{not_found} not in index") KeyError: "['Computer Name', 'Channel'] not in index"

    opened by SUDOMICKEY 0
  • Error analyzing Sysmon logs

    Error analyzing Sysmon logs

    My command

    APT-Hunter.exe -p C:\WINDOWS\System32\winevt\Logs
    

    Output

    Analyzing C:\WINDOWS\System32\winevt\Logs\OSession.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Parameters.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Security.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Setup.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\SMSApi.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\State.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\System.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Windows PowerShell.evtx
    Error Analyzing Sysmon logs
    ERROR:root:Traceback (most recent call last):
      File "APT-Hunter.py", line 130, in evtxdetect_auto
      File "lib\EvtxDetection.py", line 3347, in detect_events_Sysmon_log
    IndexError: list index out of range
    
    Traceback (most recent call last):
      File "APT-Hunter.py", line 359, in <module>
      File "APT-Hunter.py", line 326, in main
      File "APT-Hunter.py", line 236, in report
      File "pandas\core\frame.py", line 636, in __init__
      File "pandas\core\internals\construction.py", line 502, in dict_to_mgr
      File "pandas\core\internals\construction.py", line 120, in arrays_to_mgr
      File "pandas\core\internals\construction.py", line 674, in _extract_index
    ValueError: All arrays must be of the same length
    [6696] Failed to execute script 'APT-Hunter' due to unhandled exception!
    
    opened by fareedfauzi 1
  • executable only process folder named Logs

    executable only process folder named Logs

    apt-unter is working ok when folder of the logs is "Logs" as the following

    C:\tools\APT-HunterV2.0-Stable+>APT-Hunter.exe -p *\Logs* -o project3

    But if i changed to anything else for example

    C:\tools\APT-HunterV2.0-Stable+>APT-Hunter.exe -p *\Log* -o project3

    it shows the following and all excel are created and empty

    Issue with the path

    opened by tamermh 0
  • Error Analyzing Powershell Operational logs

    Error Analyzing Powershell Operational logs

    File "E:#Tools\APT-Hunter-main\APT-Hunter.py", line 80, in evtxdetect_auto EvtxDetection.detect_events_powershell_operational_log(powershellop_path_list,input_timezone) File "E:#Tools\APT-Hunter-main\lib\EvtxDetection.py", line 2293, in detect_events_powershell_operational_log Event_desc = "Found User (" + User[ IndexError: list index out of range

    opened by normaliok 1
  • :wrench: fix access to a variable before assignement

    :wrench: fix access to a variable before assignement

    fixes #18

    No more complaints about variable being accessed before assignment:

    ~/dev/apt-hunter/repo/APT-Hunter fix-error-on-using-variable-before-assignement* 32s
    .venv ❯ python APT-Hunter.py -p ~/dev/logs-windows -o output_file
    
      /$$$$$$  /$$$$$$$  /$$$$$$$$         /$$   /$$                       /$$
     /$$__  $$| $$__  $$|__  $$__/        | $$  | $$                      | $$
    | $$  \ $$| $$  \ $$   | $$           | $$  | $$ /$$   /$$ /$$$$$$$  /$$$$$$    /$$$$$$   /$$$$$$
    | $$$$$$$$| $$$$$$$/   | $$    /$$$$$$| $$$$$$$$| $$  | $$| $$__  $$|_  $$_/   /$$__  $$ /$$__  $$
    | $$__  $$| $$____/    | $$   |______/| $$__  $$| $$  | $$| $$  \ $$  | $$    | $$$$$$$$| $$  \__/
    | $$  | $$| $$         | $$           | $$  | $$| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$
    | $$  | $$| $$         | $$           | $$  | $$|  $$$$$$/| $$  | $$  |  $$$$/|  $$$$$$$| $$
    |__/  |__/|__/         |__/           |__/  |__/ \______/ |__/  |__/   \___/   \_______/|__/
    
                                                                    By : Ahmed Khlief , @ahmed_khlief
                                                                    Version : 2.0
                                                                                                      
    Analyzing /home/bernardosilva/dev/logs-windows/Security.evtx
    Analyzing /home/bernardosilva/dev/logs-windows/Application.evtx
    Analyzing /home/bernardosilva/dev/logs-windows/System.evtx
    Time Sketch Report saved as output_file_TimeSketch.csv
    Logon Events Report saved as output_file_Logon_Events.csv
    Report saved as output_file_Report.xlsx
    
    opened by BernardoSilva 0
Releases(V2.0-Stable)
Integrates a UPS monitored by NUT into OctoPrint

OctoPrint UPS This OctoPrint plugin interfaces with a UPS monitored by NUT (Network UPS Tools). Requirements NUT must be configured by the user. This

Shawn Bruce 11 Jul 05, 2022
APT-Hunter is Threat Hunting tool for windows event logs

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover susp

824 Jan 08, 2023
Debugging-friendly exceptions for Python

Better tracebacks This is a more helpful version of Python's built-in exception message: It shows more code context and the current values of nearby v

Clemens Korndörfer 1.2k Dec 28, 2022
Key Logger - Key Logger using Python

Key_Logger Key Logger using Python This is the basic Keylogger that i have made

Mudit Sinha 2 Jan 15, 2022
Outlog it's a library to make logging a simple task

outlog Outlog it's a library to make logging a simple task!. I'm a lazy python user, the times that i do logging on my apps it's hard to do, a lot of

ZSendokame 2 Mar 05, 2022
Python script to scan log files/system for unauthorized access around system

checkLogs Python script to scan log files/system for unauthorized access around Linux systems Table of contents General info Getting started Usage Gen

James Kelly 1 Feb 25, 2022
Monitoring plugin to check disk io with Icinga, Nagios and other compatible monitoring solutions

check_disk_io - Monitor disk io This is a monitoring plugin for Icinga, Nagios and other compatible monitoring solutions to check the disk io. It uses

DinoTools 3 Nov 15, 2022
giving — the reactive logger

giving is a simple, magical library that lets you log or "give" arbitrary data throughout a program and then process it as an event stream.

Olivier Breuleux 0 May 24, 2022
Log processor for nginx or apache that extracts user and user sessions and calculates other types of useful data for bot detection or traffic analysis

Log processor for nginx or apache that extracts user and user sessions and calculates other types of useful data for bot detection or traffic analysis

David Puerta Martín 1 Nov 11, 2021
Logging system for the TPC software.

tpc_logger Logging system for the TPC software. The TPC Logger class provides a singleton for logging information within C++ code or in the python API

UC Davis Machine Learning 1 Jan 10, 2022
Espion is a mini-keylogger tool that keeps track of all keys a user presses on his/her keyboard

Espion is a mini-keylogger tool that keeps track of all keys a user presses on his/her keyboard. The details get displayed on the terminal window and also stored in a log file.

Anurag.R.Simha 1 Apr 24, 2022
ScreenshotLogger works just like a keylogger but instead of capturing keystroke,it captures the screen, stores it or sends via email

ScreenshotLogger works just like a keylogger but instead of capturing keystroke,it captures the screen, stores it or sends via email. Scrapeasy is super easy to use and handles everything for you. Ju

Ifechukwudeni Oweh 17 Jul 17, 2022
Fancy console logger and wise assistant within your python projects

Fancy console logger and wise assistant within your python projects. Made to save tons of hours for common routines.

BoB 5 Apr 01, 2022
Command-line tool that instantly fetches Stack Overflow results when an exception is thrown

rebound Rebound is a command-line tool that instantly fetches Stack Overflow results when an exception is thrown. Just use the rebound command to exec

Jonathan Shobrook 3.9k Jan 03, 2023
pyEventLogger - a simple Python Library for making customized Logs of certain events that occur in a program

pyEventLogger is a simple Python Library for making customized Logs of certain events that occur in a program. The logs can be fully customized and can be printed in colored format or can be stored i

Siddhesh Chavan 2 Nov 03, 2022
This is a wonderful simple python tool used to store the keyboard log.

Keylogger This is a wonderful simple python tool used to store the keyboard log. Record your keys. It will capture passwords and credentials in a comp

Rithin Lehan 2 Nov 25, 2021
Translating symbolicated Apple JSON format crash log into our old friends :)

CrashTranslation Translating symbolicated Apple JSON format crash log into our old friends :) Usage python3 translation.py -i {input_sybolicated_json_

Kam-To 11 May 16, 2022
Python bindings for g3log

g3logPython Python bindings for g3log This library provides python3 bindings for g3log + g3sinks (currently logrotate, syslog, and a color-terminal ou

4 May 21, 2021
A Python library that tees the standard output & standard error from the current process to files on disk, while preserving terminal semantics

A Python library that tees the standard output & standard error from the current process to files on disk, while preserving terminal semantics (so breakpoint(), etc work as normal)

Greg Brockman 7 Nov 30, 2022
A Python package which supports global logfmt formatted logging.

Python Logfmter A Python package which supports global logfmt formatted logging. Install $ pip install logfmter Usage Before integrating this library,

Joshua Taylor Eppinette 15 Dec 29, 2022