/tht

Threat Hunting Toolkit is a Swiss Army knife for threat hunting, log processing, and security-focused data science

Primary LanguageShellMIT LicenseMIT

Threat Hunting Toolkit

The Threat Hunting Toolkit (THT) is a Swiss Army knife for threat hunting, log processing, and security-focused data science. It incorporates many CLI tools into one place for ease of deployment and includes wrappers and convenience features for ease of use. It comes packaged as a Docker image that can be deployed with a single command. Spend less time struggling with installation, configuration, or environment differences, and more on filtering, slicing, and data stacking.

Features

🧰 Easy to Install

  • Small - Keep download size under 300 MB.
  • Portable - Works across a variety of systems thanks to Docker.

📖 Fast to Learn

  • Consistent - Get the same configuration on every system, which means a familiar environment everywhere.
  • Format Agnostic - Avoid swapping between similar tools with annoying syntax variations for different formats including Zeek, CSV, TSV, and JSON.
  • Remove Boilerplate - Remove the boilerplate for common use cases with the included scripts, functions, and aliases.
  • Documented - There are cheatsheets and documentation available to get started right away.

🚀 Fast to Run

  • Optimized - Everything is benchmarked to find the fastest methods when there are several options.
  • Parallel - Many of the components take advantage of multiple CPU cores to process data in parallel.

Usage

The recommended method is to use the tht wrapper script included in the repo.

Install

sudo curl -o /usr/local/bin/tht https://raw.githubusercontent.com/ethack/tht/main/tht && sudo chmod +x /usr/local/bin/tht

Run

tht

Update

tht update
You can also start THT with a docker command.

From DockerHub

docker run \
    --rm -it \
    -h $(hostname) \
    --init \
    --pid host \
    -v /etc/localtime:/etc/localtime \
    -v /:/host \
    -w "/host/$(pwd)" \
    ethack/tht

From GitHub Container Registry

docker run \
    --rm -it \
    -h $(hostname) \
    --init \
    --pid host \
    -v /etc/localtime:/etc/localtime \
    -v /:/host \
    -w "/host/$(pwd)" \
    ghcr.io/ethack/tht

However, you will lose all the convenience features the tht wrapper script provides.

If you'd like to build the image or documentation manually, see here.

Documentation

For the current documentation, see here.

These pages are good place to get the lay of the land:

License

The source code in this project is licensed under the MIT license.

The documentation is licensed under the CC BY-NC-SA 4.0 license.