APT-Hunter is Threat Hunting tool for windows event logs

Overview

APT-Hunter

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity . this tool will make a good use of the windows event logs collected and make sure to not miss critical events configured to be detected. If you are a Threat Hunter , Incident Responder or forensic investigator , i assure you will enjoy using this tool , why ? i will discuss the reason in this article and how it will make your life easy just it made mine . Kindly note this tool is heavily tested but still a beta version and may contain bugs .

Full information about the tool and how its used in this article : introducing-apt-hunter-threat-hunting-tool-using-windows-event-log

Author :

Twitter : @ahmed_khlief

Linkedin : Ahmed Khlief

How to Use APT-Hunter

The first thing to do is to collect the logs if you didn’t and with powershell log collectors its easy to collect the needed logs automatically you just run the powershell scripts as administrator .

To collect the logs in EVTX format use : windows-log-collector-full-v3-EVTX.ps1

To collect the logs in CSV format use : windows-log-collector-full-v3-CSV.ps1

For Windows users please use the latest release : Latest Release

APT-Hunter built using python3 so in order to use the tool you need to install the required libraries ( python3.9 is not supported yet).

python3 -m pip install -r Requirements.txt

APT-Hunter is easy to use you just use the argument -h to print help to see the options needed .

python3 APT-Hunter.py -h

usage: APT-Hunter.py [-h] [-p PATH] [-o OUT] [-t {csv,evtx}]

-h, --help show this help message and exit

-p PATH, --path PATH path to folder containing windows event logs generated by the APT-Hunter-Log-Collector.ps1

-o OUT, --out OUT output file name

-t {csv,evtx}, --type {csv,evtx} csv ( logs from get-eventlog or windows event log GUI or logs from Get-WinEvent ) , evtx ( EVTX extension windows event log )

--security SECURITY Path to Security Logs

--system SYSTEM Path to System Logs

--scheduledtask SCHEDULEDTASK Path to Scheduled Tasks Logs

--defender DEFENDER Path to Defender Logs

--powershell POWERSHELL Path to Powershell Logs

--powershellop POWERSHELLOP Path to Powershell Operational Logs

--terminal TERMINAL Path to TerminalServices LocalSessionManager Logs

--winrm WINRM Path to Winrm Logs

--sysmon SYSMON Path to Sysmon Logs

-p : provide path to directory containing the extracted using the powershell log collectors ( windows-log-collector-full-v3-CSV.ps1 , windows-log-collector-full-v3-EVTX.ps1 ) .

-o : name of the project which will be used in the generated output sheets

-t : the log type if its CSV or EVTX

The remaining arguments if you want to analyze single type of logs.

Exmaples :

python3 APT-Hunter.py -t evtx -p /opt/wineventlogs/ -o Project1

python3 APT-Hunter.py -t csv -p /opt/wineventlogs/ -o Project1

python3 APT-Hunter.py -t evtx --security evtx/security.evtx --powershell evtx/powershell.evtx -o Project2

The result will be available in two sheets :

Project1_Report.xlsx : this excel sheet will include all the events detected from every windows logs provided to APT-Hunter

Project1_TimeSketch.csv : This CSV file you can upload it to timesketch in order to have timeline analysis that will help you see the full picture of the attack .

Comments
  • EVTX-ATTACK-SAMPLES

    EVTX-ATTACK-SAMPLES

    Hi, first of all an awesome job. I've been trying to use https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES for testing but unfortunately I was not able to do it. What would be the correct approach, if possible at all? Thanks a lot.

    opened by V0lundr 5
  • Can't install Requirements

    Can't install Requirements

    I installed python 3.9 on my Windows 10 Pro machine (only this fresh install of python, no other languages installed). When executing the command python -m pip install -r Requirements.txt I get the error listed below. I had run the command 2x, I assume this is why it says it references "cached"

    Collecting netaddr Using cached netaddr-0.8.0-py2.py3-none-any.whl (1.9 MB) Collecting evtx Using cached evtx-0.6.8.tar.gz (2.2 kB) ERROR: Command errored out with exit status 1: command: 'C:\Users\XXXXX\AppData\Local\Programs\Python\Python39\python.exe' -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py'"'"'; file='"'"'C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base 'C:\Users\XXXXX\AppData\Local\Temp\pip-pip-egg-info-yy_8dz2x' cwd: C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx
    Complete output (5 lines): Traceback (most recent call last): File "", line 1, in File "C:\Users\XXXXX\AppData\Local\Temp\pip-install-ehjf8erp\evtx\setup.py", line 5, in from setuptools_rust import RustExtension ModuleNotFoundError: No module named 'setuptools_rust'

    Note that I am running the command in an elevated command prompt.

    Thank you for any assistance.

    opened by brohan 4
  • File path does not exist

    File path does not exist

    I am trying this out during post-mortem forensics.

    I copy all .evtx files out of my images into a folder and then run APT-Hunter against all the files in the folder.

    Only the System and Security Events parse and I receive the following errors running the following command: .\APT-Hunter.exe -t evtx -p I:\Evidence\Case\EVTX\Dc1\ -o Case-Dc1

    Error Analyzing Security logs: File Path Does Not Exist Error Analyzing System logs : File Path Does Not Exist Error Analyzing Powershell Operational logs : File Path Does Not Exist Error Analyzing Powershell logs : File Path Does Not Exist Error Analyzing TerminalServices LocalSessionManager logs: File Path Does Not Exist Error Analyzing Scheduled Task logs : File Path Does Not Exist Error Analyzing Windows Defender logs : File Path Does Not Exist Error Analyzing WinRM logs : File Path Does Not Exist Error Analyzing Sysmon logs

    Does it have anything to do with the the filenames from the OS? Microsoft-Windows-PowerShell%4Admin.evtx Microsoft-Windows-PowerShell%4Operational.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx Microsoft-Windows-Windows Defender%4Operational.evtx Microsoft-Windows-Windows Defender%4WHC.evtx

    opened by clive7391 3
  • Requirements Issue

    Requirements Issue

    I am trying to install the requirements on Win 10, I have installed Python3 + Rust but keep encountering this error -

    I installed Rust using - pip install setuptools-rust - & the rustup-init.exe but still keep getting this -

    ERROR: Failed building wheel for evtx Running setup.py clean for evtx Failed to build evtx Installing collected packages: evtx, netaddr, numpy, six, python-dateutil, pytz, pandas, XlsxWriter Running setup.py install for evtx ... error ERROR: Command errored out with exit status 1: command: 'C:\Users\user\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"'; file='"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'C:\Users\user\AppData\Local\Temp\pip-record-03gi9t6z\install-record.txt' --single-version-externally-managed --user --prefix= --compile --install-headers 'C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Include\evtx' cwd: C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx
    Complete output (42 lines): running install running build running build_ext running build_rust error: manifest path Cargo.toml does not exist Traceback (most recent call last): File "", line 1, in File "C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py", line 21, in setup( File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\site-packages\setuptools_init_.py", line 165, in setup return distutils.core.setup(**attrs) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\core.py", line 148, in setup dist.run_commands() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 966, in run_commands self.run_command(cmd) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\site-packages\setuptools\command\install.py", line 61, in run return orig.install.run(self) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\command\install.py", line 546, in run self.run_command('build') File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\command\build.py", line 135, in run self.run_command(cmd_name) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\cmd.py", line 313, in run_command self.distribution.run_command(command) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\distutils\dist.py", line 985, in run_command cmd_obj.run() File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\setuptools_ext.py", line 23, in run build_rust.run() File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\build.py", line 357, in run self.build_extension(ext) File "C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\site-packages\setuptools_rust\build.py", line 120, in build_extension metadata = json.loads(check_output(metadata_command).decode("utf-8")) File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\subprocess.py", line 420, in check_output return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.9_3.9.496.0_x64__qbz5n2kfra8p0\lib\subprocess.py", line 524, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['cargo', 'metadata', '--manifest-path', 'Cargo.toml', '--format-version', '1']' returned non-zero exit status 101. ---------------------------------------- ERROR: Command errored out with exit status 1: 'C:\Users\user\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe' -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"'; file='"'"'C:\Users\user\AppData\Local\Temp\pip-install-qjtjp_9e\evtx\setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record 'C:\Users\user\AppData\Local\Temp\pip-record-03gi9t6z\install-record.txt' --single-version-externally-managed --user --prefix= --compile --install-headers 'C:\Users\user\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Include\evtx' Check the logs for full command output.

    opened by hackjalstead 3
  • Missing `setuptools_rust` from requirements

    Missing `setuptools_rust` from requirements

    Hi! When launching a dry run to install requirements, it misses the setuptools_rust.

    (.env) ~/APT-Hunter >>> pip install -r Requirements.txt                                                                                                                       ±[main]
    Collecting evtx
      Downloading evtx-0.6.8.tar.gz (2.2 kB)
        ERROR: Command errored out with exit status 1:
         command: /home/xxx/APT-Hunter/.env/bin/python -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py'"'"'; __file__='"'"'/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-nk2jwvmk
             cwd: /tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/
        Complete output (5 lines):
        Traceback (most recent call last):
          File "<string>", line 1, in <module>
          File "/tmp/pip-install-mjeg8637/evtx_f611c1c42b5446d19336a2d56bb8900b/setup.py", line 5, in <module>
            from setuptools_rust import RustExtension
        ModuleNotFoundError: No module named 'setuptools_rust'
        ----------------------------------------
    ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    

    Thanks, the tool looks awesome!

    opened by evilcel3ri 3
  • Seeing the following error .

    Seeing the following error .

    [email protected]:/home/kali/Desktop/APT-Hunter# python3 -m pip install -r requirements.txt Collecting evtx Using cached evtx-0.6.8.tar.gz (2.2 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-7w2zav_u cwd: /tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_384116d45afb44579e11c9ec2af1ac34/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/33/18/b32715bae61c4fe6a7cdb79aafccb0d4797a1bfef028e9689197af214966/evtx-0.6.8.tar.gz#sha256=414507b79fe997a35fbf05ae57dd2f55a7acfc669b19d9125a894ffe40dbeade (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.3.0.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-xfau9bd2 cwd: /tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_420300a867c34718a328f68ee33feb99/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/2d/fe/f207c57f183d07aa405679019ec37193dacdb25cd814f185f7b817915101/evtx-0.3.0.tar.gz#sha256=1ce5fde2b9df791af5e72c9c28d0a85b7a41ac36b2dcf34522ce909379d49509 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.7.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-b70tzy4y cwd: /tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_acb14f472644409696fa1ff4d9f8a104/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/80/01/7778d9c3a33f40f108da547fb518f86da9a9afe13bd43c15c42b029e4d64/evtx-0.2.7.tar.gz#sha256=4e60da0ac63c51d3065952f45e3b865b161e6e3f0e17adf2f3300b18f6f399e8 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.6.tar.gz (1.8 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-7ficjdna cwd: /tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_d21ce0e26c3b448dbd9a256a3743c472/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/a5/4e/5dfd9ad96e7bbe29e3c6e8f380175d6382722d4306547f34e40e33d022b7/evtx-0.2.6.tar.gz#sha256=5c9a1a988e28a128abf539fdb6c2ae08f6ea2f3e15d534f10362edf597bcd1a8 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    Using cached evtx-0.2.5.tar.gz (1.4 kB) ERROR: Command errored out with exit status 1: command: /usr/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py'"'"'; file='"'"'/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base /tmp/pip-pip-egg-info-753zlwh6 cwd: /tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/
    Complete output (5 lines):
    Traceback (most recent call last):
    File "", line 1, in
    File "/tmp/pip-install-j9wfr385/evtx_684a5159d08b46eab163ecb6a290fe72/setup.py", line 5, in
    from setuptools_rust import RustExtension
    ModuleNotFoundError: No module named 'setuptools_rust'
    ----------------------------------------
    WARNING: Discarding https://files.pythonhosted.org/packages/11/4c/13588de4d88a437e00a10653969b86b886cb1db22a7a758729edd4ed2ac8/evtx-0.2.5.tar.gz#sha256=ab7c61b01d6723b2da5fa192faf12cc82bc54b4a3a9ee338aff665cd7f29cf33 (from https://pypi.org/simple/evtx/). Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
    ERROR: Could not find a version that satisfies the requirement evtx ERROR: No matching distribution found for evtx

    opened by krisz-bot 2
  • Adding pandas and xlsxwriter to reqs + Fix date in PasswordSpray detection

    Adding pandas and xlsxwriter to reqs + Fix date in PasswordSpray detection

    When launching a dry run, I noticed some libraries were missing. This PR adds them in the requirements.txt.

    It also adds a fix for the PasswordSpray detection which used to use datetime.now instead of the actual date in the log file.

    opened by evilcel3ri 2
  •  Error Analyzing Powershell Operational logs - list index out of range

    Error Analyzing Powershell Operational logs - list index out of range

    Description: Kali GNU/Linux Rolling Release: 2021.3 Codename: kali-rolling Python Verison: Python 3.9.7

    Error Analyzing Powershell Operational logs 
    ERROR:root:Traceback (most recent call last):
      File "/home/kali/sources/APT-Hunter/APT-Hunter.py", line 80, in evtxdetect_auto
        EvtxDetection.detect_events_powershell_operational_log(powershellop_path_list,input_timezone)
      File "/home/kali/sources/APT-Hunter/lib/EvtxDetection.py", line 2399, in detect_events_powershell_operational_log
        Event_desc = "Found User (" + User[0].strip() + ") run PowerShell with Command Name (" + \
    IndexError: list index out of range
    
    opened by scusi 1
  • 2.0 - evtxdetect_auto error and no CSV output

    2.0 - evtxdetect_auto error and no CSV output

    Hello,

    Thank you for providing a compiled Windows EXE. I'll be making a Module in KAPE for this tool, but first I think some bugs need to be fixed :)

    I ran the tool against the EVTX-ATTACK-SAMPLES repo and received the following errors:

    Error Analyzing Sysmon logs
    ERROR:root:Traceback (most recent call last):
      File "APT-Hunter.py", line 130, in evtxdetect_auto
      File "lib\EvtxDetection.py", line 3082, in detect_events_Sysmon_log
    NameError: name 'user' is not defined
    

    https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/APT-Hunter.py#L130 https://github.com/ahmedkhlief/APT-Hunter/blob/60fc3fd07616e89e5fdb8e390cf6a564d1c64435/lib/EvtxDetection.py#L3082

    Also, despite the below message indicating otherwise, there was no CSV output to be found.

    Time Sketch Report saved as V:\EVTX\APTHunterTest_TimeSketch.csv
    Logon Events Report saved as V:\EVTX\APTHunterTest_Logon_Events.csv
    Report saved as V:\EVTX\APTHunterTest_Report.xlsx
    

    So I think something might be wrong 🤷

    opened by AndrewRathbun 1
  • Getting an error with sysmon

    Getting an error with sysmon

    Hello,

    I'm getting this error:

    File "APT-Hunter.py", line 108, in evtxdetect EvtxDetection.detect_events_Sysmon_log(sysmon_path) File "C:\IR\APT-Hunter-main-Windows-V1.1-Stable\lib\EvtxDetection.py", line 2018, in detect_events_Sysmon_log if CommandLine[0].strip().find(i)>-1: IndexError: list index out of range

    Using python 3.7.4 and Sysmon 13.02

    Command: python APT-Hunter.py -t evtx --sysmon c:/temp3/logs/wineventlog/Sysmon.evtx -o Test_00

    Thanks,

    opened by rangerrkm 1
  • Remote fetch of EVTX

    Remote fetch of EVTX

    Hi

    it would be nice to extend the script windows-log-collector-full-v3-EVTX.ps1 to extract the EVTX files from a remote machine (i.e. Active Directory using domain credentials).

    opened by notdodo 1
  • Issue with the path

    Issue with the path

    Issue with the path Traceback (most recent call last): File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 357, in main() File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 324, in main report() File "C:\Users\sabil\Downloads\APT hunter\APT-Hunter-V2.0-Source\APT-Hunter-main\APT-Hunter.py", line 254, in report allresults = allresults[ File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\frame.py", line 3810, in getitem indexer = self.columns._get_indexer_strict(key, "columns")[1] File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\indexes\base.py", line 6111, in _get_indexer_strict self._raise_if_missing(keyarr, indexer, axis_name) File "C:\Users\sabil\AppData\Local\Programs\Python\Python38\lib\site-packages\pandas\core\indexes\base.py", line 6174, in _raise_if_missing raise KeyError(f"{not_found} not in index") KeyError: "['Computer Name', 'Channel'] not in index"

    opened by SUDOMICKEY 0
  • Error analyzing Sysmon logs

    Error analyzing Sysmon logs

    My command

    APT-Hunter.exe -p C:\WINDOWS\System32\winevt\Logs
    

    Output

    Analyzing C:\WINDOWS\System32\winevt\Logs\OSession.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Parameters.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Security.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Setup.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\SMSApi.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\State.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\System.evtx
    Analyzing C:\WINDOWS\System32\winevt\Logs\Windows PowerShell.evtx
    Error Analyzing Sysmon logs
    ERROR:root:Traceback (most recent call last):
      File "APT-Hunter.py", line 130, in evtxdetect_auto
      File "lib\EvtxDetection.py", line 3347, in detect_events_Sysmon_log
    IndexError: list index out of range
    
    Traceback (most recent call last):
      File "APT-Hunter.py", line 359, in <module>
      File "APT-Hunter.py", line 326, in main
      File "APT-Hunter.py", line 236, in report
      File "pandas\core\frame.py", line 636, in __init__
      File "pandas\core\internals\construction.py", line 502, in dict_to_mgr
      File "pandas\core\internals\construction.py", line 120, in arrays_to_mgr
      File "pandas\core\internals\construction.py", line 674, in _extract_index
    ValueError: All arrays must be of the same length
    [6696] Failed to execute script 'APT-Hunter' due to unhandled exception!
    
    opened by fareedfauzi 1
  • executable only process folder named Logs

    executable only process folder named Logs

    apt-unter is working ok when folder of the logs is "Logs" as the following

    C:\tools\APT-HunterV2.0-Stable+>APT-Hunter.exe -p *\Logs* -o project3

    But if i changed to anything else for example

    C:\tools\APT-HunterV2.0-Stable+>APT-Hunter.exe -p *\Log* -o project3

    it shows the following and all excel are created and empty

    Issue with the path

    opened by tamermh 0
  • Error Analyzing Powershell Operational logs

    Error Analyzing Powershell Operational logs

    File "E:#Tools\APT-Hunter-main\APT-Hunter.py", line 80, in evtxdetect_auto EvtxDetection.detect_events_powershell_operational_log(powershellop_path_list,input_timezone) File "E:#Tools\APT-Hunter-main\lib\EvtxDetection.py", line 2293, in detect_events_powershell_operational_log Event_desc = "Found User (" + User[ IndexError: list index out of range

    opened by normaliok 1
  • :wrench: fix access to a variable before assignement

    :wrench: fix access to a variable before assignement

    fixes #18

    No more complaints about variable being accessed before assignment:

    ~/dev/apt-hunter/repo/APT-Hunter fix-error-on-using-variable-before-assignement* 32s
    .venv ❯ python APT-Hunter.py -p ~/dev/logs-windows -o output_file
    
      /$$$$$$  /$$$$$$$  /$$$$$$$$         /$$   /$$                       /$$
     /$$__  $$| $$__  $$|__  $$__/        | $$  | $$                      | $$
    | $$  \ $$| $$  \ $$   | $$           | $$  | $$ /$$   /$$ /$$$$$$$  /$$$$$$    /$$$$$$   /$$$$$$
    | $$$$$$$$| $$$$$$$/   | $$    /$$$$$$| $$$$$$$$| $$  | $$| $$__  $$|_  $$_/   /$$__  $$ /$$__  $$
    | $$__  $$| $$____/    | $$   |______/| $$__  $$| $$  | $$| $$  \ $$  | $$    | $$$$$$$$| $$  \__/
    | $$  | $$| $$         | $$           | $$  | $$| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$
    | $$  | $$| $$         | $$           | $$  | $$|  $$$$$$/| $$  | $$  |  $$$$/|  $$$$$$$| $$
    |__/  |__/|__/         |__/           |__/  |__/ \______/ |__/  |__/   \___/   \_______/|__/
    
                                                                    By : Ahmed Khlief , @ahmed_khlief
                                                                    Version : 2.0
                                                                                                      
    Analyzing /home/bernardosilva/dev/logs-windows/Security.evtx
    Analyzing /home/bernardosilva/dev/logs-windows/Application.evtx
    Analyzing /home/bernardosilva/dev/logs-windows/System.evtx
    Time Sketch Report saved as output_file_TimeSketch.csv
    Logon Events Report saved as output_file_Logon_Events.csv
    Report saved as output_file_Report.xlsx
    
    opened by BernardoSilva 0
Releases(V2.0-Stable)
Rich is a Python library for rich text and beautiful formatting in the terminal.

Rich 中文 readme • lengua española readme • Läs på svenska Rich is a Python library for rich text and beautiful formatting in the terminal. The Rich API

Will McGugan 41.5k Jan 07, 2023
Robust and effective logging for Python 2 and 3.

Robust and effective logging for Python 2 and 3.

Chris Hager 1k Jan 04, 2023
A new kind of Progress Bar, with real time throughput, eta and very cool animations!

alive-progress :) A new kind of Progress Bar, with real-time throughput, eta and very cool animations! Ever found yourself in a remote ssh session, do

Rogério Sampaio de Almeida 4k Dec 30, 2022
A cool logging replacement for Python.

Welcome to Logbook Travis AppVeyor Supported Versions Latest Version Test Coverage Logbook is a nice logging replacement. It should be easy to setup,

1.4k Nov 11, 2022
A lightweight logging library for python applications

cakelog a lightweight logging library for python applications This is a very small logging library to make logging in python easy and simple. config o

2 Jan 05, 2022
Monitoring plugin to check disk io with Icinga, Nagios and other compatible monitoring solutions

check_disk_io - Monitor disk io This is a monitoring plugin for Icinga, Nagios and other compatible monitoring solutions to check the disk io. It uses

DinoTools 3 Nov 15, 2022
Integrates a UPS monitored by NUT into OctoPrint

OctoPrint UPS This OctoPrint plugin interfaces with a UPS monitored by NUT (Network UPS Tools). Requirements NUT must be configured by the user. This

Shawn Bruce 11 Jul 05, 2022
Pretty and useful exceptions in Python, automatically.

better-exceptions Pretty and more helpful exceptions in Python, automatically. Usage Install better_exceptions via pip: $ pip install better_exception

Qix 4.3k Dec 29, 2022
A Prometheus exporter for monitoring & analyzing Grafana Labs' technical documentation

grafana-docs-exporter A Prometheus exporter for monitoring & analyzing Grafana Labs' technical documentation Here is the public endpoint.

Matt Abrams 5 May 02, 2022
A simple, transparent, open-source key logger, written in Python, for tracking your own key-usage statistics.

A simple, transparent, open-source key logger, written in Python, for tracking your own key-usage statistics, originally intended for keyboard layout optimization.

Ga68 56 Jan 03, 2023
The new Python SDK for Sentry.io

sentry-python - Sentry SDK for Python This is the next line of the Python SDK for Sentry, intended to replace the raven package on PyPI. from sentry_s

Sentry 1.4k Dec 31, 2022
Outlog it's a library to make logging a simple task

outlog Outlog it's a library to make logging a simple task!. I'm a lazy python user, the times that i do logging on my apps it's hard to do, a lot of

ZSendokame 2 Mar 05, 2022
A very basic esp32-based logic analyzer capable of sampling digital signals at up to ~3.2MHz.

A very basic esp32-based logic analyzer capable of sampling digital signals at up to ~3.2MHz.

Davide Della Giustina 43 Dec 27, 2022
Track Nano accounts and notify via log file or email

nano-address-notifier Track accounts and notify via log file or email Required python libs

Joohansson (Json) 4 Nov 08, 2021
Log4j alternative for Python

Log4p Log4p is the most secure logging library ever created in this and all other universes. Usage: import log4p log4p.log('"Wow, this library is sec

Isaak Uchakaev 15 Dec 16, 2022
Fancy console logger and wise assistant within your python projects

Fancy console logger and wise assistant within your python projects. Made to save tons of hours for common routines.

BoB 5 Apr 01, 2022
A Python package which supports global logfmt formatted logging.

Python Logfmter A Python package which supports global logfmt formatted logging. Install $ pip install logfmter Usage Before integrating this library,

Joshua Taylor Eppinette 15 Dec 29, 2022
Soda SQL Data testing, monitoring and profiling for SQL accessible data.

Soda SQL Data testing, monitoring and profiling for SQL accessible data. What does Soda SQL do? Soda SQL allows you to Stop your pipeline when bad dat

Soda Data Monitoring 51 Jan 01, 2023
Yaml - Loggers are like print() statements

Upgrade your print statements Loggers are like print() statements except they also include loads of other metadata: timestamp msg (same as print!) arg

isaac peterson 38 Jul 20, 2022
🐑 Syslog Simulator hazır veya kullanıcıların eklediği logları belirtilen adreslere ve port'a seçilen döngüde syslog ile gönderilmesini sağlayan araçtır. | 🇹🇷

syslogsimulator hazır ürün loglarını SIEM veya log toplayıcısına istediğiniz portta belirli sürelerde göndermeyi sağlayan küçük bir araçtır.

Enes Aydın 3 Sep 28, 2021