Introducing APT-Hunter : Threat Hunting Tool via Windows Event Log

apt hunter


APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . this tool will make a good use of the windows event logs collected and make sure to not miss critical events configured to be detected. If you are a Threat Hunter , Incident Responder or forensic investigator , i assure you will enjoy using this tool , why ? i will discuss the reason in this article and how it will make your life easy just it made mine . Kindly note this tool is heavily tested but still a beta version and may contain bugs.

Full information about the tool and how its used in this article: introducing-apt-hunter-threat-hunting-tool-using-windows-event-log

You can get the latest release from Github

Author: Ahmed Khlief

How to Use APT-Hunter

The first thing to do is to collect the logs if you didn’t and with powershell log collectors its easy to collect the needed logs automatically you just run the powershell scripts as administrator.

To collect the logs in EVTX format use : windows-log-collector-full-v3-EVTX.ps1

To collect the logs in CSV format use : windows-log-collector-full-v3-CSV.ps1

APT-Hunter built using python3 so in order to use the tool you need to install the required libraries (python3.9 is not supported yet).

					python3 -m pip install -r Requirements.txt

APT-Hunter is easy to use you just use the argument -h to print help to see the options needed.

					python3 -h

usage: [-h] [-p PATH] [-o OUT] [-t {csv,evtx}]
 -h, --help show this help message and exit
 -p PATH, --path PATH path to folder containing windows event logs generated by the APT-Hunter-Log-Collector.ps1
 -o OUT, --out OUT output file name
 -t {csv,evtx}, --type {csv,evtx} csv ( logs from get-eventlog or windows event log GUI or logs from Get-WinEvent ) , evtx ( EVTX extension windows event log )
 --security SECURITY Path to Security Logs
 --system SYSTEM Path to System Logs
 --scheduledtask SCHEDULEDTASK Path to Scheduled Tasks Logs
 --defender DEFENDER Path to Defender Logs
 --powershell POWERSHELL Path to Powershell Logs
 --powershellop POWERSHELLOP Path to Powershell Operational Logs
 --terminal TERMINAL Path to TerminalServices LocalSessionManager Logs
 --winrm WINRM Path to Winrm Logs
 --sysmon SYSMON Path to Sysmon Logs
 -p : provide path to directory containing the extracted using the powershell log collectors ( windows-log-collector-full-v3-CSV.ps1 , windows-log-collector-full-v3-EVTX.ps1 ) .
 -o : name of the project which will be used in the generated output sheets
 -t : the log type if its CSV or EVTX


The remaining arguments if you want to analyze single type of logs.


					python3 -t evtx -p /opt/wineventlogs/ -o Project1
python3 -t csv -p /opt/wineventlogs/ -o Project1
python3 -t evtx --security evtx/security.evtx --powershell evtx/powershell.evtx -o Project2

The result will be available in following two sheets

Project1_Report.xlsx: this excel sheet will include all the events detected from every windows logs provided to APT-Hunter

Project1_TimeSketch.csv: This CSV file you can upload it to timesketch in order to have timeline analysis that will help you see the full picture of the attack.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top