The Threat Hunter's Collection is a single PowerShell script that consolidates a diverse array of tools, a beginning to creating a comprehensive toolkit for cyber threat hunters.
This collection aims to simplify the threat hunting process by providing a single point of access to various tools, eliminating the need for tedious setup, sourcing downloads, or complex commands.
The toolkit promotes portability, allowing hunters to be creative—whether on a USB drive, as an email template, or CURL it from a repository for convenient and efficient threat hunting on the go. Explore the tools, contribute to the project, and enhance your threat hunting capabilities with the Threat Hunter's Collection.
- Host Info - Enumerate host info + stdout to an exportable .txt File
- Sysmon - Log system activity to the Windows Event Log
- DeepBlueCLI - Hunt via Sysmon & Windows Event Logs
- AutoRuns - Hunt for scheduled tasks and persistence.
- ProcMon - Hunt file system, registry, & process/thread activity
- ProcExp - Hunt DLLs Processes
- TCPView - Hunt all TCP and UDP connections
- AccessEnum - Hunt file system, registry, permissions security settings
- WizTree - Hunt file structure
- Download the single THC powershell script (Optional: You can move the script to your desktop)
- Run a powershell terminal as administrator.
- Traverse to your download folder or desktop (depending on where THC.ps1 is)
- Enable scripting by pasting this to your terminal (also found in the first line of the powershell script so you don't have to come here to copy pasta)
powershell.exe -noprofile -executionpolicy bypass -file .\THC.ps1
- [Optional] You can unrestrict for repetitive usage, then run THC.ps1
Set-ExecutionPolicy unrestricted
.\THC.ps1
- Don't forget to unrestrict when you leave
Set-ExecutionPolicy restricted
- Hunt 😎
To be added later.
Sysmon - requires a few policy adjustments: enable Audit Process Creation, go straight to the screenshots
- This process will be automated in the next release
DeepBlueCLI - Aware of a few bugs
- This is being worked on..
Please always exercise caution, use only if authorized.
I'm a cybersecurity engineer for an primarily for the financial industry, along with many SMB clients.
Linkedin | Discord | GitHub | Email: adam@atomkim.com
If you have any feedback for suggestions, bugs, or ideas please reach out at adam@atomkim.com