Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/ethack/tht

Threat Hunting Toolkit is a Swiss Army knife for threat hunting, log processing, and security-focused data science
https://github.com/ethack/tht

docker threat-hunting zeek

Last synced: about 1 year ago
JSON representation

Threat Hunting Toolkit is a Swiss Army knife for threat hunting, log processing, and security-focused data science

Awesome Lists containing this project

README 

          


  Threat Hunting Toolkit







[GitHub][github-url] |

[DockerHub][docker-url] |

[Docs][docs-url]



[![Docker Image Size][docker-size-badge]][docker-url]

[![Docker Pull Count][docker-pulls-badge]][docker-url]

[![MIT license][mit-badge]](#license)






The Threat Hunting Toolkit (THT) is a Swiss Army knife for threat hunting, log processing, and security-focused data science. It incorporates many CLI tools into one place for ease of deployment and includes wrappers and convenience features for ease of use. It comes packaged as a Docker image that can be deployed with a single command. Spend less time struggling with installation, configuration, or environment differences, and more on filtering, slicing, and data stacking.



## Features



🧰 **Easy to Install**



- Small - Keep download size under 300 MB.

- Portable - Works across a variety of systems thanks to Docker.



📖 **Fast to Learn**



- Consistent - Get the same configuration on every system, which means a familiar environment everywhere.

- Format Agnostic - Avoid swapping between similar tools with annoying syntax variations for different formats including Zeek, CSV, TSV, and JSON.

- Remove Boilerplate - Remove the boilerplate for common use cases with the included scripts, functions, and aliases.

- Documented - There are [cheatsheets][cheat-url] and [documentation][docs-url] available to get started right away.



🚀 **Fast to Run**



- Optimized - Everything is benchmarked to find the fastest methods when there are several options.

- Parallel - Many of the components take advantage of multiple CPU cores to process data in parallel.



## Usage



The recommended method is to use the `tht` wrapper script included in the repo.



**Install**

```bash

sudo curl -o /usr/local/bin/tht https://raw.githubusercontent.com/ethack/tht/main/tht && sudo chmod +x /usr/local/bin/tht

```



**Run**

```bash

tht

```



**Update**

```bash

tht update

```



You can also start THT with a docker command.



**From DockerHub**

```bash

docker run \

    --rm -it \

    -h $(hostname) \

    --init \

    --pid host \

    -v /etc/localtime:/etc/localtime \

    -v /:/host \

    -w "/host/$(pwd)" \

    ethack/tht

```



**From GitHub Container Registry**

```bash

docker run \

    --rm -it \

    -h $(hostname) \

    --init \

    --pid host \

    -v /etc/localtime:/etc/localtime \

    -v /:/host \

    -w "/host/$(pwd)" \

    ghcr.io/ethack/tht

```



However, you will lose all the convenience features the `tht` wrapper script provides.



If you'd like to build the image or documentation manually, see [here](https://ethack.github.io/tht/development/).



## Documentation



For the current documentation, see [here](https://ethack.github.io/tht/).



These pages are good place to get the lay of the land:

- [List of tools included in THT](https://ethack.github.io/tht/#/reference/)

- [Cheatsheets covering common cases](https://ethack.github.io/tht/#/cheatsheets/)

  - You can also access these from inside THT by running `cheat` or by pressing the `ctrl-g` keyboard shortcut.

  - You'll get a random tip from these cheatsheets every time you start THT.



## License



The source code in this project is licensed under the [MIT license](LICENSE).



The [documentation](docs/content/) is licensed under the [CC BY-NC-SA 4.0 license][cc-url]. 



[github-url]: https://github.com/ethack/tht

[docker-url]: https://hub.docker.com/r/ethack/tht

[docs-url]: https://ethack.github.io/tht/

[cheat-url]: https://github.com/ethack/tht/tree/main/cheatsheets



[docker-size-badge]: https://badgen.net/docker/size/ethack/tht

[docker-pulls-badge]: https://badgen.net/docker/pulls/ethack/tht



[mit-badge]: https://badgen.net/badge/license/MIT/green



[cc-url]: https://creativecommons.org/licenses/by-nc-sa/4.0/